Critical CVE-2026-11624 Vulnerability in Model Context Protocol

CVE-2026-11624, published on June 13, 2026, exposes the Model Context Protocol to DNS rebinding attacks due to improper validation of the 'Origin' header. This vulnerability allows unauthenticated attackers to bypass origin validation, potentially leading to unauthorized access to server functionalities and data. The CVSS base score is 9.4, indicating critical severity. Users are advised to upgrade to version 0.25.0 or later, which introduces the '--allowed-hosts' and '--allowed-origins' flags for enhanced security. If these flags are set to '*', a startup warning will be issued, indicating potential vulnerabilities. Currently, there is no public proof-of-concept or evidence of active exploitation. Organizations using affected versions are at risk until they implement the necessary updates.

Key Points: • CVE-2026-11624 allows DNS rebinding attacks due to lack of 'Origin' header validation. • Upgrade to version 0.25.0 is critical to mitigate this vulnerability. • No active exploitation or proof-of-concept has been reported yet.