Updates

RustSec flags high-severity DNS rebinding flaw in rmcp HTTP server

A malicious page could pivot through DNS rebinding and reach rmcp servers on loopback or private-network interfaces. The fix now forces Host validation and defaults to localhost-only.

Jamie Taylor··1 min read
Published
Listen to this article0:00 min
RustSec flags high-severity DNS rebinding flaw in rmcp HTTP server
Photo illustration

RustSec Advisory Database issued RUSTSEC-2026-0189 on June 29, 2026, flagging a high-severity DNS rebinding flaw in rmcp’s Streamable HTTP server transport. The bug carried a CVSS score of 8.8 and needed user interaction, which makes it especially dangerous in browser-driven attacks against developer tools and local agent servers.

DNS rebinding is the trap here: a victim visits a malicious web page, the page’s name first resolves to an attacker-controlled server, then resolves again to a local address such as 127.0.0.1 or another private-network target. If the service on that address trusts the incoming Host header without checking it, the browser can be turned into a bridge into a machine the attacker should never reach. In rmcp versions before 1.4.0, that Host header was not validated, opening a path to send requests to an MCP server running on a victim’s loopback or private-network interface.

AI-generated illustration
AI-generated illustration

A successful attack could enumerate and invoke tools exposed by a locally running rmcp-based MCP server, read resources and prompts, and trigger whatever side effects those tools were allowed to perform. The issue affected only the Streamable HTTP transport. Stdio and child-process transports were not affected.

The fix landed in rmcp 1.4.0 on April 9, 2026, through PR #764 and commit 8e22aa2. The patch added a default loopback-only allowlist, with allowed_hosts set to localhost, 127.0.0.1, and ::1, and returns HTTP 403 when the Host header is not permitted. StreamableHttpServerConfig controls inbound Host validation through allowed_hosts, and public deployments should override the loopback-only default with their own hostnames. The issue violated the MCP specification’s transport security guidance.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More Rust Programming News