Technical description
The rmcp crate (official Rust SDK for the Model Context Protocol) prior to version 1.4.0 did not validate the incoming Host header in its Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/). This allowed a malicious public website to execute DNS rebinding attacks against localhost-bound MCP servers, sending cross-origin requests that the server would process as if they originated from a trusted local client. NVD published CVE-2026-42559 on May 14, 2026, with a CVSS 4.0 base score of 8.8 (High severity).
Attack vector
DNS rebinding attack. An attacker hosts a malicious website that a user visits in a browser. The attacker's JavaScript code performs DNS rebinding to cause the user's browser to send HTTP requests to 127.0.0.1 or localhost addresses where MCP servers are listening. Because the rmcp crate did not validate the Host header, the MCP server accepts and processes these cross-origin requests, allowing the attacker to invoke MCP tools, access resources, or manipulate prompts as if the requests came from a legitimate local MCP client.
Affected systems
Rust-based MCP server implementations using the rmcp crate (official Model Context Protocol Rust SDK) versions prior to 1.4.0. This affects any MCP server that listens on localhost and uses the rmcp Streamable HTTP transport. Developers using the rmcp crate to build MCP servers should assume that prior deployments were vulnerable to cross-origin attacks from malicious websites.
Mitigation
Upgrade to rmcp crate version 1.4.0 or later, which introduces Host header validation to prevent DNS rebinding attacks. Review server configurations to ensure MCP servers are not inadvertently exposed to network interfaces beyond localhost. Organizations deploying MCP servers in production should audit access logs for suspicious cross-origin requests and verify that client authentication mechanisms are enforced beyond Host header checks.