CVE-2026-11719
published 2026-06-18CVE-2026-11719: An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While…
PriorityP356high8.6CVSS 4.0
AVNACLATNPRLUINVCHVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.15%
4.6th percentile
An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers.
While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | googleapis_mcp-toolbox | >= 0 < 1.4.0 | 1.4.0 |
| mcp_toolbox_for_databases | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MCP Toolbox for Databases: authenticated authorization bypass
ghsa·2026-06-18
CVE-2026-11719 [HIGH] CWE-862 MCP Toolbox for Databases: authenticated authorization bypass
MCP Toolbox for Databases: authenticated authorization bypass
An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers.
While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler).
VulDB
Google MCP Toolbox for Databases 1.3.0 authorization (EUVD-2026-37881)
vuldb·2026-06-18
CVE-2026-11719 [CRITICAL] Google MCP Toolbox for Databases 1.3.0 authorization (EUVD-2026-37881)
A vulnerability categorized as critical has been discovered in Google MCP Toolbox for Databases 1.3.0. This affects an unknown part. The manipulation results in missing authorization.
This vulnerability was named CVE-2026-11719. The attack may be performed from remote. There is no available exploit.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-18
Published