CVE-2026-11718

Source
https://cve.org/CVERecord?id=CVE-2026-11718
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11718.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-11718
Aliases
Published
2026-06-18T11:52:42.327Z
Modified
2026-07-08T07:48:29.442791127Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
[none]
Details

An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox.

When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an introspectResp struct. However, the subsequent claim-checking logic (validateClaims) evaluates the issuer condition as if a.issuer != "" && iss != "". If the external OAuth provider's introspection response omits the optional iss (issuer) field completely, the variable iss defaults to an empty string. This causes the conditional block to evaluate to false and be skipped silently. Consequently, the application accepts tokens issued by unauthorized or unintended third-party identity providers.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11718.json",
    "cna_assigner": "Google",
    "cwe_ids": [
        "CWE-287"
    ]
}
References

Affected packages

Git / github.com/googleapis/mcp-toolbox

Affected ranges

Type
GIT
Repo
https://github.com/googleapis/mcp-toolbox
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "1.0.0"
        },
        {
            "last_affected": "1.3.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v1.*
v1.0.0
v1.1.0
v1.2.0
v1.3.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11718.json"