{"id":"CVE-2026-34237","summary":"MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *)","details":"MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 0.83.0, 1.0.1, and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 0.83.0, 1.0.1, and 1.1.1.","aliases":["GHSA-hv2w-8mjj-jw22"],"modified":"2026-07-15T02:19:23.962977615Z","published":"2026-03-31T15:40:01.070Z","related":["CGA-rpqr-576x-6rxx"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34237.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-942"]},"references":[{"type":"WEB","url":"https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java#L289"},{"type":"WEB","url":"https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java#L525"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34237.json"},{"type":"ADVISORY","url":"https://github.com/modelcontextprotocol/java-sdk/security/advisories/GHSA-hv2w-8mjj-jw22"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34237"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/modelcontextprotocol/java-sdk","events":[{"introduced":"0"},{"fixed":"d187d09dd58ae9349380a57a23c3636dd78e29e1"},{"introduced":"d4d8072693a8ad98f6d9731dfd4cdbb307fa9bf1"},{"last_affected":"d4d8072693a8ad98f6d9731dfd4cdbb307fa9bf1"}],"database_specific":{"source":["CPE_RANGE","CPE_STRING"],"cpe":["cpe:2.3:a:lfprojects:mcp_java_sdk:*:*:*:*:*:*:*:*","cpe:2.3:a:lfprojects:mcp_java_sdk:1.1.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"fixed":"1.0.1"},{"introduced":"1.1.0"},{"last_affected":"1.1.0"}]}}],"versions":["1.1.0","v1.1.0","v1.0.0","v0.6.0","v0.5.0","v0.4.2","v0.4.1","v0.4.0","v0.3.1","v0.3.0","v0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34237.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}