Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-34237 is a medium severity vulnerability with a CVSS score of 6.1. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
Hardcoded Wildcard CORS (Access-Control-Allow-Origin: * )
An attacker-controlled web page instructs the victim's browser to open GET https://internal-mcp-server/sse. Because Access-Control-Allow-Origin: * allows cross-origin SSE reads, the attacker's page receives the endpoint event — which contains the session ID. The attacker can then POST to that endpoint from their page using the victim's browser as a relay.
No Access-Control-Allow-Origin header is emitted by either Python transport. The browser's default same-origin policy remains in full effect. https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/sse.py https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py
In the SDK, the transport layer should not own CORS policy. Server implementors who need cross-origin access can add a CORS filter at the servlet filter or Spring Security layer.
| Vendor | Product |
|---|---|
| Lfprojects | Mcp Java Sdk |
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.