chore(deps): update rust crate rmcp to v1.4.0 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
rmcp	workspace.dependencies	minor	1.1.0 → 1.4.0

---

rmcp Streamable HTTP server transport has a DNS rebinding vulnerability

CVE-2026-42559 / GHSA-89vp-x53w-74fx

More information

Details

Summary

Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface — violating the MCP specification's transport security guidance.

Impact

An attacker who convinces a victim to visit a malicious page can:

• Enumerate and invoke any tool exposed by a locally-running rmcp-based MCP server.
• Read resources, prompts, and any state accessible via the MCP session.
• Trigger side effects (file writes, shell execution, API calls, etc.) limited only by what tools the victim's server exposes.

Because MCP servers frequently run with the user's privileges and expose developer tooling (filesystems, shells, browser control, language servers, etc.), the practical impact can extend to arbitrary code execution on the victim's machine.

Affected Versions

rmcp < 1.4.0 — all prior releases of the Streamable HTTP server transport. Non-HTTP transports (stdio, child-process) are not affected.

Patched Versions

rmcp >= 1.4.0 (current: 1.5.1).

Patch

Fixed in PR #​764 (commit 8e22aa2), released as v1.4.0 on 2026-04-09:

• StreamableHttpServerConfig::allowed_hosts now defaults to a loopback-only allowlist: ["localhost", "127.0.0.1", "::1"].
• All incoming HTTP requests pass through validate_dns_rebinding_headers(), which parses the Host header and returns HTTP 403 if the host is not on the allowlist.
• Public deployments can configure an explicit allowlist via StreamableHttpService::with_allowed_hosts(...), or opt out (not recommended without an upstream reverse proxy that validates Host) via disable_allowed_hosts().

This fix validates the Host header only. Origin header validation is tracked as a defense-in-depth follow-up in #​822 and is not required to block the DNS rebinding attack described here — the browser cannot forge the Host header sent to the rebound server.

Workarounds for Unpatched Users

• Upgrade to rmcp >= 1.4.0.
• If upgrade is not possible, place the MCP server behind a reverse proxy (e.g. nginx, Caddy) configured to reject requests whose Host header is not one of your expected hostnames.
• Do not bind the MCP server to 0.0.0.0 without such a proxy.

Resources

• PR: https://github.com/modelcontextprotocol/rust-sdk/pull/764
• Issue: https://github.com/modelcontextprotocol/rust-sdk/issues/815
• Follow-up (Origin validation): https://github.com/modelcontextprotocol/rust-sdk/issues/822
• MCP transport security guidance: https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning

Related advisories (same class of vulnerability)

• TypeScript SDK: GHSA-w48q-cv73-mx4w
• Python SDK: GHSA-9h52-p55h-vw2f
• Go SDK: GHSA-xw59-hvm2-8pj6
• Java SDK: GHSA-8jxr-pr72-r468

Severity

• CVSS Score: 8.8 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

• https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx
• https://github.com/modelcontextprotocol/rust-sdk/issues/815
• https://github.com/modelcontextprotocol/rust-sdk/pull/764
• https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning
• https://nvd.nist.gov/vuln/detail/CVE-2026-42559
• https://github.com/modelcontextprotocol/rust-sdk/issues/822
• https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3
• https://github.com/nubo-db/dynoxide/security/advisories/GHSA-fvh2-gm75-j4j7
• https://rustsec.org/advisories/RUSTSEC-2026-0140.html
• https://github.com/advisories/GHSA-89vp-x53w-74fx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

modelcontextprotocol/rust-sdk (rmcp)

v1.4.0

Compare Source

Added

• add Default and constructors to ServerSseMessage (#​794)
• add meta to elicitation results (#​792)
• (macros) auto-generate get_info and default router (#​785)
• (transport) add which_command for cross-platform executable resolution (#​774)
• (auth) add StoredCredentials::new() constructor (#​778)

Fixed

• (server) remove initialized notification gate to support Streamable HTTP (#​788)
• default session keep_alive to 5 minutes (#​780)
• (http) add host check (#​764)
• exclude local feature from docs.rs build (#​782)

Other

• update Rust toolchain to 1.92 (#​797)
• unify IntoCallToolResult Result impls (#​787)

v1.3.0

Compare Source

Added

• (transport) add Unix domain socket client for streamable HTTP (#​749)
• (auth) implement SEP-2207 OIDC-flavored refresh token guidance (#​676)
• add configuration for transparent session re-init (#​760)
• add local feature for !Send tool handler support (#​740)

Fixed

• prevent CallToolResult and GetTaskPayloadResult from shadowing CustomResult in untagged enums (#​771)
• drain in-flight responses on stdin EOF (#​759)
• remove default type param from StreamableHttpService (#​758)
• use cfg-gated Send+Sync supertraits to avoid semver break (#​757)
• (rmcp) surface JSON-RPC error bodies on HTTP 4xx responses (#​748)
• default CallToolResult content to empty vec on missing field (#​752)
• (auth) redact secrets in Debug output for StoredCredentials and StoredAuthorizationState (#​744)

Other

• fix all clippy warnings across workspace (#​746)

v1.2.0

Compare Source

Added

• add missing constructors for non-exhaustive model types (#​739)
• include granted scopes in OAuth refresh token request (#​731)

Fixed

• handle ping requests sent before initialize handshake (#​745)
• allow deserializing notifications without params field (#​729)

Other

• (deps) update jsonwebtoken requirement from 9 to 10 (#​737)

v1.1.1

Compare Source

Fixed

• accept logging/setLevel and ping before initialized notification (#​730)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	1d4-web	fde0428	Commit Preview URL Branch Preview URL	May 18 2026, 02:38 PM