CVE-2026-35568: Java-SDK has a DNS Rebinding Vulnerability

April 7, 2026 (updated April 8, 2026)

The java-sdk contains a DNS rebinding vulnerability. This vulnerability allows an attacker to access a locally or network-private java-sdk MCP server via a victims browser that is either local, or network adjacent.

This allows an attacker to make any tool call to the server as if they were a locally running MCP connected AI agent.

References

github.com/advisories/GHSA-8jxr-pr72-r468
github.com/modelcontextprotocol/java-sdk
github.com/modelcontextprotocol/java-sdk/releases/tag/v1.0.0
github.com/modelcontextprotocol/java-sdk/security/advisories/GHSA-8jxr-pr72-r468
nvd.nist.gov/vuln/detail/CVE-2026-35568

Code Behaviors & Features

Detect and mitigate CVE-2026-35568 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →