CVE-2026-42559
Model Context Protocol · Rust SDK (RMCP)
The Model Context Protocol Rust SDK is vulnerable to origin validation errors and reliance on insecure reverse DNS resolution, potentially allowing unauthorized actions.
Executive summary
The Model Context Protocol Rust SDK contains critical origin validation and DNS resolution flaws that could allow an unauthenticated attacker to compromise system integrity.
Vulnerability
This vulnerability involves improper origin validation (CWE-346) and reliance on reverse DNS for security-critical decisions (CWE-350). The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms this is an unauthenticated vulnerability requiring user interaction.
Business impact
Successful exploitation could result in full system compromise, including unauthorized data access and integrity loss. With a CVSS score of 8.8, this represents a high risk to business operations, particularly for applications relying on the Model Context Protocol for secure data exchange.
Remediation
Immediate Action: Update the RMCP Rust SDK to version 1.4.0 or later. Users of related packages should update dynoxide-rs to 0.9.13.
Proactive Monitoring: Monitor network and application logs for unusual request patterns, particularly those attempting to bypass origin-based authentication or spoofing DNS responses.
Compensating Controls: Implement strict network segmentation and ensure that services utilizing the SDK are protected by robust authentication layers that do not rely solely on DNS-based checks.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Given the severity of the identified flaws, organizations should prioritize updating the affected SDK versions immediately. Failure to patch these components leaves applications vulnerable to sophisticated network-based attacks that bypass standard origin security controls.