CVE-2026-42559

Model Context Protocol · Rust SDK (RMCP)

The Model Context Protocol Rust SDK is vulnerable to origin validation errors and reliance on insecure reverse DNS resolution, potentially allowing unauthorized actions.

Executive summary

The Model Context Protocol Rust SDK contains critical origin validation and DNS resolution flaws that could allow an unauthenticated attacker to compromise system integrity.

Vulnerability

This vulnerability involves improper origin validation (CWE-346) and reliance on reverse DNS for security-critical decisions (CWE-350). The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms this is an unauthenticated vulnerability requiring user interaction.

Business impact

Successful exploitation could result in full system compromise, including unauthorized data access and integrity loss. With a CVSS score of 8.8, this represents a high risk to business operations, particularly for applications relying on the Model Context Protocol for secure data exchange.

Remediation

Immediate Action: Update the RMCP Rust SDK to version 1.4.0 or later. Users of related packages should update dynoxide-rs to 0.9.13.

Proactive Monitoring: Monitor network and application logs for unusual request patterns, particularly those attempting to bypass origin-based authentication or spoofing DNS responses.

Compensating Controls: Implement strict network segmentation and ensure that services utilizing the SDK are protected by robust authentication layers that do not rely solely on DNS-based checks.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Given the severity of the identified flaws, organizations should prioritize updating the affected SDK versions immediately. Failure to patch these components leaves applications vulnerable to sophisticated network-based attacks that bypass standard origin security controls.