CVE-2026-11624 just gave every malicious website full control of your local MCP server. CVSS 9.4.

A CVSS 9.4 critical dropped on June 13.

CVE-2026-11624 — DNS rebinding in the Model Context Protocol.

If you're running any MCP server locally (the standard dev setup for Claude Code, Cursor, Windsurf), a malicious website can now pivot through your browser and invoke arbitrary tool calls on your local instance.

No authentication required. No user awareness.

Here's the mechanism:

The MCP spec advises servers to validate the Origin header on incoming connections.

Prior to v0.25, there was no way to do it.

Google's MCP Toolbox for Databases — the most widely deployed MCP connector — had zero Origin validation built in.

An attacker hosts a malicious site. DNS rebinds to 127.0.0.1. Your browser, thinking it's still on the attacker's domain, sends cross-origin requests that hit your local MCP server.

The server processes them as legitimate.

Your database queries, your file system tools, your shell commands — all exposed to any page you visit.

The fix shipped in v0.25.0 (January 8, 2026):

New --allowed-hosts flag. New HostCheck middleware. Returns 400 on unrecognized hosts.

But both flags default to "*" — wildcard.

If you upgraded but didn't set explicit hosts, you're still exposed.

This is the third MCP CVE this year that follows the same pattern: default-to-permissive, fix-it-later, nobody patches.

The others: CVE-2025-66416 (Python SDK), CVE-2026-34742 (Go SDK). Same class. Different package.

Run this now:

Upgrade MCP Toolbox to v0.25+.

Set --allowed-hosts=127.0.0.1:YOUR_PORT explicitly.

Set --allowed-origins to your actual origin.

Audit every MCP server in your stack for wildcard defaults.

If you're running MCP servers on localhost without auth — which is the documented development pattern — you are the attack surface.

This isn't a theoretical risk. Jonathan Leitschuh published a working PoC. The attack chain is: visit a webpage, lose your database.

SOURCE: https://app.opencve.io/cve/CVE-2026-11624
VERIFIED: NVD (CVE-2026-11624), OpenCVE, GitHub Advisory (GHSA-xw59-hvm2-8pj6), Threat-Modeling.com Vulnerability Intelligence Report June 14 2026
SIGNAL: MCP is the connective tissue between every major AI agent and the tools they call. A CVSS 9.4 with default-permissive config means the entire agent development ecosystem is exposed by design. Patch now or accept the blast radius.