CVE-2026-11717

Name: CVE-2026-11717
Creator: NVD / NIST
Published: 2026-06-18T14:17:20.013+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.3/10EPSS 0.19%

Last modified Jun 22, 2026

This CVE is reserved or awaiting analysis. Details will appear once published by NVD.

Description

An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp struct where the Active field is declared as a pointer to a boolean (*bool). The code only explicitly rejects a token if the response contains a populated active field set to false (if introspectResp.Active != nil && !*introspectResp.Active). If an introspection endpoint responds with a payload that completely omits the mandatory active key, the internal variable remains nil, causing the conditional check to short-circuit. As a result, Toolbox accepts authorization tokens missing the "active" field, granting access to protected tools and underlying data sources.

Metrics

CVSS 4.0

9.3/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.19%

9.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-287

References

https://github.com/googleapis/mcp-toolbox/pull/3341

Timeline

Published: Jun 18, 2026
Last Modified: Jun 22, 2026
Status: Awaiting Analysis

Are you affected by CVE-2026-11717?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST