Approved changes feed: RSS · Atom
cpe:2.3:a:modelcontextprotocol:rust-sdk:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Modelcontextprotocol (082e8d84-965b-5156-ba15-e7a9bafb2a96) |
|---|---|
| Product | Rust Sdk (5a7ea861-643a-566c-9cbd-a55a01558725) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-42559 |
vulnerable | 2026-06-08 08:03:16.512955 |
RMCP: DNS rebinding vulnerability in rmcp Streamable HTTP server transport
HIGH (8.8)
RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface. This vulnerability is fixed in 1.4.0.
Published: 2026-05-14T14:24:56.090Z
Updated: 2026-05-14T16:00:33.149Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.