What happened
An authenticated authorisation bypass (CVSS 8.6) in MCP Toolbox for Databases was published to NVD on June 18, 2026. While the 2025-11-25 protocol version correctly enforces per-tool scopesRequired restrictions, older supported protocol version handlers do not apply scope enforcement. An authenticated user can therefore access tools they are not authorised to use by connecting via an older protocol version, bypassing the intended least-privilege controls on database tool invocations.
Why it matters
Scope enforcement is the primary mechanism limiting which database operations an AI agent (or a user of the MCP interface) can perform. Bypassing it allows an authenticated-but-low-privilege caller to invoke high-privilege database tools — enabling data exfiltration, schema modification, or destructive writes that should be restricted.
Attack vector
Authenticated attacker connects to MCP Toolbox using an older supported protocol version that skips scope enforcement. The attacker then invokes tools restricted by scopesRequired that they are not authorised to access.
Affected systems
googleapis/mcp-toolbox (versions prior to fix in PR #3049)
Mitigation
Apply the fix from googleapis/mcp-toolbox PR #3049. Disable or deprecate older protocol version handlers where possible. See: https://github.com/googleapis/mcp-toolbox/pull/3049