HOMEVULNERABILITIESCVE-2026-9739
CRITICAL

CVE-2026-9739

CWE-942Published: May 27, 2026· Updated: May 29, 2026

9.4
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:5.1th

Official Description

Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. However, the hardcoded `Access-Control-Allow-Origin: *` header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05.

NVD Source

Risk Analysis

This critical vulnerability in systems using SSE under specification v2024-11-05 is susceptible to DNS rebinding attacks due to a hardcoded 'Access-Control-Allow-Origin: *' header. With a CVSSv4 score of 9.4, this flaw presents a significant risk, allowing attackers to bypass origin restrictions. The absence of an EPSS score means the current exploitation likelihood is not publicly assessed, but the high severity warrants immediate action.

No public exploit is currently known for this vulnerability. Exploitation requires user interaction, specifically when connecting via Toolbox using SSE, and is remotely exploitable.

Recommended Action

Update affected systems to versions that properly enforce 'allowed-origins' and 'allowed-hosts' flags and remove the hardcoded 'Access-Control-Allow-Origin: *' header. Ensure that all web applications are configured to prevent DNS rebinding attacks.

Generated by the CTIWATCH analysis pipeline from this CVE's metadata (CVSS, EPSS, KEV status, exploit intelligence). Verify against vendor advisories before acting.

Technical Analysis

CVE-2026-9739 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation does not require any privileges, though user interaction (A) is needed, which slightly reduces the risk of mass automated attacks.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionA
ScopeX
Impact
Confidentiality
Integrity
Availability
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2026-9739
CVSS Score9.4 / 10
SeverityCRITICAL
WeaknessCWE-942
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 27, 2026

Related CVEs (CWE-942)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-9739 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.