Critical Google MCP Toolbox Vulnerability Exposes Enterprise Databases to Unauthorized Access
A severe security flaw in Google’s MCP Toolbox for Databases, tracked as CVE-2026-9739 (CVSS 9.4), allows unauthenticated attackers to exploit DNS rebinding attacks and gain unauthorized command-level access to connected enterprise databases. The vulnerability affects organizations using the Server-Sent Events (SSE) transport mechanism in MCP specification v2024-11-05.
The issue stems from a hardcoded Access-Control-Allow-Origin: * header inadvertently left in the SSE initialization handler, overriding security protections introduced during the toolbox’s beta phase. This misconfiguration, classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains), enables attackers to bypass CORS protections by tricking Chrome browsers into treating malicious domains as trusted local resources.
Once exploited, attackers can establish unauthorized SSE connections to the Toolbox interface and execute arbitrary commands against Cloud SQL, AlloyDB, and Spanner databases. The flaw requires no privileges, has a network-based attack vector, and poses high risks to confidentiality, integrity, and availability.
Google acknowledged the issue on May 27, 2026, releasing a patch the following day via a GitHub advisory (issue #3053, PR #3054). While no proof-of-concept exploits or active attacks have been observed, the critical severity and broad enterprise exposure necessitate immediate action.
Related vulnerabilities (CVE-2026-34742 in the Go MCP SDK and CVE-2026-35568 in the MCP Java SDK) highlight systemic weaknesses in MCP’s origin validation. Organizations are advised to disable SSE connections if unused, enforce strict CORS policies, restrict Toolbox endpoints to trusted networks, and audit AI agent pipelines for exposed instances.
Source: https://cyberpress.org/mcp-toolbox-vulnerability-exposed/
Google Cloud Security cybersecurity rating report: https://www.rankiteo.com/company/googlecloudsecurity
"id": "GOO1780302559",
"linkid": "googlecloudsecurity",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Organizations using Google MCP '
'Toolbox for Databases (SSE '
'transport mechanism)',
'industry': 'Cloud Services, Database Management',
'name': 'Google',
'type': 'Technology Company'}],
'attack_vector': 'Network',
'customer_advisories': 'Organizations advised to apply patches and follow '
'security recommendations.',
'data_breach': {'sensitivity_of_data': 'High (enterprise databases)',
'type_of_data_compromised': 'Enterprise database access '
'(Cloud SQL, AlloyDB, Spanner)'},
'date_publicly_disclosed': '2026-05-27',
'date_resolved': '2026-05-28',
'description': 'A severe security flaw in Google’s MCP Toolbox for Databases, '
'tracked as CVE-2026-9739 (CVSS 9.4), allows unauthenticated '
'attackers to exploit DNS rebinding attacks and gain '
'unauthorized command-level access to connected enterprise '
'databases. The vulnerability affects organizations using the '
'Server-Sent Events (SSE) transport mechanism in MCP '
'specification v2024-11-05. The issue stems from a hardcoded '
'`Access-Control-Allow-Origin: *` header inadvertently left in '
'the SSE initialization handler, enabling attackers to bypass '
'CORS protections. Once exploited, attackers can execute '
'arbitrary commands against Cloud SQL, AlloyDB, and Spanner '
'databases.',
'impact': {'brand_reputation_impact': 'High (Google MCP Toolbox)',
'data_compromised': 'Enterprise database access (Cloud SQL, '
'AlloyDB, Spanner)',
'operational_impact': 'Unauthorized command execution, potential '
'data breaches',
'systems_affected': 'Google MCP Toolbox for Databases (SSE '
'transport mechanism)'},
'investigation_status': 'Patched',
'lessons_learned': 'Systemic weaknesses in MCP’s origin validation (related '
'CVEs: CVE-2026-34742, CVE-2026-35568). Need for stricter '
'CORS policies and endpoint restrictions.',
'post_incident_analysis': {'corrective_actions': 'Patch released, security '
'recommendations provided.',
'root_causes': 'Hardcoded '
'`Access-Control-Allow-Origin: *` '
'header in SSE initialization '
'handler, overriding security '
'protections.'},
'recommendations': 'Disable SSE connections if unused, enforce strict CORS '
'policies, restrict Toolbox endpoints to trusted networks, '
'audit AI agent pipelines for exposed instances.',
'references': [{'source': 'GitHub Advisory',
'url': 'https://github.com/google/mcp-toolbox/advisories/3053'}],
'response': {'communication_strategy': 'GitHub advisory, security '
'recommendations',
'containment_measures': 'Patch released (GitHub advisory #3053, '
'PR #3054)',
'remediation_measures': 'Disable SSE connections if unused, '
'enforce strict CORS policies, restrict '
'Toolbox endpoints to trusted networks, '
'audit AI agent pipelines for exposed '
'instances'},
'title': 'Critical Google MCP Toolbox Vulnerability Exposes Enterprise '
'Databases to Unauthorized Access',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-9739 (CWE-942 - Permissive Cross-domain '
'Policy with Untrusted Domains)'}