Vulnerability Details CVE-2026-35568
MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to 1.0.0, the java-sdk contains a DNS rebinding vulnerability. This vulnerability allows an attacker to access a locally or network-private java-sdk MCP server via a victims browser that is either local, or network adjacent. This allows an attacker to make any tool call to the server as if they were a locally running MCP connected AI agent. This vulnerability is fixed in 1.0.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 4.1%
CVSS Severity
CVSS v3 Score 5.7
References
Products affected by CVE-2026-35568
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.1.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.10.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.11.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.11.1
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.11.2
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.11.3
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.12.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.12.1
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.13.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.13.1
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.14.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.14.1
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.15.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.16.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.17.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.17.1
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.17.2
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.18.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.18.1
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.2.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.3.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.3.1
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.4.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.4.1
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.4.2
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.5.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.6.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.7.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.8.0
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.8.1
-
cpe:2.3:a:lfprojects:mcp_java_sdk:0.9.0