{"id":"CVE-2026-11719","details":"An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers.\n\nWhile the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler).","aliases":["GHSA-5gf6-gc35-xjpc","GO-2026-5144"],"modified":"2026-07-08T07:59:44.934525161Z","published":"2026-06-18T11:55:03.666Z","database_specific":{"cwe_ids":["CWE-862"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11719.json","cna_assigner":"Google"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11719.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-11719"},{"type":"FIX","url":"https://github.com/googleapis/mcp-toolbox/pull/3049"},{"type":"FIX","url":"https://github.com/googleapis/mcp-toolbox/pull/3335"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/googleapis/mcp-toolbox","events":[{"introduced":"b0010060a939455d91e4f8ba62dc3e72b1892469"},{"last_affected":"b0010060a939455d91e4f8ba62dc3e72b1892469"}],"database_specific":{"extracted_events":[{"introduced":"1.3.0"},{"last_affected":"1.3.0"}],"source":"AFFECTED_FIELD"}}],"versions":["1.3.0","v1.3.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11719.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}