CVE-2026-34237: MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *)
(updated )
Hardcoded Wildcard CORS (Access-Control-Allow-Origin: * )
References
- cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
- github.com/advisories/GHSA-hv2w-8mjj-jw22
- github.com/modelcontextprotocol/java-sdk
- github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java
- github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java
- github.com/modelcontextprotocol/java-sdk/security/advisories/GHSA-hv2w-8mjj-jw22
- nvd.nist.gov/vuln/detail/CVE-2026-34237
Code Behaviors & Features
Detect and mitigate CVE-2026-34237 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →