External risk intelligence

googleapis/mcp-toolbox Authentication Bypass via Opaque Token Validation

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-11718

An authentication bypass vulnerability in the mcp-toolbox allows the acceptance of tokens from unauthorized identity providers. This occurs when an external OAuth provider omits the issuer field in its introspection response, causing the toolbox to skip necessary validation logic. This could lead to unintended access t

Authentication Bypass

Halo Surface Signal

Very likely · external exposure

5Halo Surface Signal

The vulnerability exists in an authentication mechanism for an OAuth 2.0 introspection endpoint. Identity and authentication gateways are, by design, public-facing services meant to validate credentials for external or distributed applications, making them inherently exposed to the internet in normal deployments.

Horizon Alert

Summary of the vulnerability and why it matters

An authentication bypass vulnerability has been identified in the mcp-toolbox, which handles token validation for OAuth 2.0. This issue allows the system to accept tokens from unauthorized identity providers, potentially compromising security. The primary concern is to confirm whether our environment is affected and to what extent.

  • Bypass allows any identity provider to authenticate.
  • Key risk: unauthorized access to systems.
  • Confirm relevance and exposure to our environment.

Attack Path

How an attacker could exploit the issue

An attacker could bypass authentication by manipulating an OAuth 2.0 introspection response. By ensuring an external identity provider omits the issuer field in its response, the validation logic is skipped, allowing the application to accept tokens from unauthorized sources. This could potentially lead to unauthorized access to application resources.

  • No authentication needed to reach the endpoint.
  • Triggered by an introspection response missing the issuer field.
  • Risk of unauthorized access to resources.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthorized third-party identity providers to issue tokens that are accepted by the mcp-toolbox when validating opaque tokens via an OAuth 2.0 introspection endpoint. This occurs when the external provider's introspection response omits the issuer field, causing the mcp-toolbox to bypass necessary conditional logic and accept tokens from unintended sources.

  • Access to systems and data controlled by mcp-toolbox.
  • Tokens issued by unauthorized identity providers may be accepted.
  • Unintended access to services and their associated data.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the generic opaque token validation within the `googleapis/mcp-toolbox`. The issue arises when an external OAuth provider omits the issuer field in its introspection response, allowing the toolbox to accept tokens from unintended identity providers. Identifying the specific instances of this toolbox, confirming their reachability and criticality, and locating the accountable owner are the crucial first steps.

  • Accountable teams: Platform or security teams.
  • Verify: Token introspection endpoint reachability.
  • Action: Plan remediation based on risk.

Supplementary metadata

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is googleapis/mcp-toolbox?

The mcp-toolbox is a software component designed to handle token validation processes for OAuth 2.0. It acts as an intermediary, checking the validity of opaque security tokens against introspection endpoints to ensure that only authorized users or services can access protected resources within an application architecture.

How does CVE-2026-11718 work as an authentication bypass?

This vulnerability, classified as Improper Authentication (CWE-287), occurs because of a logic flaw during token validation. When the toolbox checks an incoming token, it relies on an 'issuer' field to verify identity. If this field is missing from an identity provider's response, the code skips the verification step entirely, mistakenly accepting the token as valid even if it originated from an unauthorized source.

Does a malformed token trigger this bug?

The bug is not triggered by a malformed token itself, but rather by the response received from an OAuth 2.0 introspection endpoint. Specifically, the bypass occurs only when an external identity provider omits the required issuer information in its introspection response. If the issuer field is present and correctly populated, the logic executes as intended.

Is my system at risk from this CVE?

Halo Surface Signal indicates that because this vulnerability exists within an authentication gateway, it is very likely to be internet-facing. If your deployment uses mcp-toolbox to validate tokens from external OAuth providers, your services may be reachable by unauthorized parties who can manipulate the introspection response to gain access, regardless of your internal network configuration.

What should I do if I use this software?

Begin by identifying all instances where mcp-toolbox is deployed within your environment. Verify whether these instances are configured to perform token introspection. Once identified, coordinate with your platform or security team to review how your external OAuth providers return introspection data and plan for the necessary updates to ensure proper claim validation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished