CVE-2026-11718

CRITICAL EPSS 10.5%
Published Jun 18, 20261w ago · Modified Jun 22, 20261w ago
9.3 CVSS 4.0
Critical
Find Similar
Published Jun 18, 2026 1w ago
Last Modified Jun 22, 2026 1w ago

Description

An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an introspectResp struct. However, the subsequent claim-checking logic (validateClaims) evaluates the issuer condition as if a.issuer != "" && iss != "". If the external OAuth provider's introspection response omits the optional iss (issuer) field completely, the variable iss defaults to an empty string. This causes the conditional block to evaluate to false and be skipped silently. Consequently, the application accepts tokens issued by unauthorized or unintended third-party identity providers.

CVSS Details

Base Score
9.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
10.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-287 Improper Authentication Authentication

References 1

  • github.com https://github.com/googleapis/mcp-toolbox/pull/3360

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.