CVE-2026-42559
Published: 14 May 2026
Summary
CVE-2026-42559 is a high-severity Origin Validation Error (CWE-346) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires unique identification of the service before communications, addressing failures to validate the origin of the interaction.
Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.
Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.
Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.
Mandates origin validation so that only legitimate endpoints can continue the authenticated session.
NVD Description
RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding…
more
attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface. This vulnerability is fixed in 1.4.0.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: model context protocol, mcp