DNA View

CVE-2026-34237

Medium

Low Medium High Critical

6.1

CVSS Score

Published: Mar 31, 2026

Last Modified: Apr 03, 2026

CWE: CWE-942

Vulnerability Description

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 1.0.1 and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 1.0.1 and 1.1.1.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Known Affected Software

1 configuration(s) from 1 vendor(s)

mcp_java_sdk

Version:

1.1.0

CPE:

cpe:2.3:a:lfprojects:mcp_java_sdk:1.1.0:*:*:*:*:*:*:*

This vulnerability affects 1 software configuration(s). Ensure you patch all affected systems.

Available Security Patches

1 patch available from vendors

View All Patches

Oracle

CPUAPR2026

Oracle Critical Patch Update Advisory - April 2026

Severity

Critical

Released

Apr 21, 2026

Restart Required

Security Update

View Details Vendor Page

Browse All Security Patches

References & Resources

Severity Details

6.1

out of 10.0

Medium

Weakness Type (CWE)

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

Description: The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
Typical Severity: Medium
Abstraction Level: Variant