Auth bypass in Google Mcp Toolbox For Databases (Googleapis/mcp-toolbox)
CVE-2026-11718
An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it d…
Vulnerability class: Broken Authentication
Affected products
- Google Mcp Toolbox For Databases (Googleapis/mcp-toolbox) — versions 1.0.0