What happened
Two critical authentication bypass vulnerabilities (CVSS 9.3 each) were published to NVD on June 18, 2026 in Google's MCP Toolbox for Databases. CVE-2026-11717: when validating an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp struct but fails to check whether the 'active' field is false — meaning an expired or revoked token is treated as valid. CVE-2026-11718 describes a related flaw in the same validateOpaqueToken path where additional fields in the introspection response are not validated, permitting further bypass conditions. Both allow unauthenticated or unauthorised callers to access MCP tools and the databases they connect to.
Why it matters
MCP Toolbox for Databases is Google's official MCP server for connecting AI agents to enterprise databases (Cloud SQL, Spanner, AlloyDB, PostgreSQL, MySQL, SQLite). An authentication bypass here means any attacker who can reach the MCP endpoint can invoke database read/write tools without valid credentials — exfiltrating or corrupting data that AI agents are authorised to access. The package is maintained by googleapis and likely deployed in Google Cloud environments at scale.
Attack vector
Attacker presents an expired, revoked, or otherwise invalid opaque token to the MCP Toolbox introspection endpoint. The server calls the OAuth introspection endpoint but ignores the 'active: false' response field, granting the attacker access to all MCP tools and connected databases.
Affected systems
googleapis/mcp-toolbox (all versions prior to fix in PR #3341 and #3360)
Mitigation
Apply patches from googleapis/mcp-toolbox PRs #3341 (CVE-2026-11717) and #3360 (CVE-2026-11718). See: https://github.com/googleapis/mcp-toolbox/pull/3341 and https://github.com/googleapis/mcp-toolbox/pull/3360