Reported

May 12, 2026

Issued

May 13, 2026

Package

dynoxide-rs (crates.io)

Type

Vulnerability

Keywords

#dns-rebinding #csrf #mcp

Aliases

• CVE-2026-42559
• GHSA-fvh2-gm75-j4j7

References

• https://github.com/nubo-db/dynoxide/security/advisories/GHSA-fvh2-gm75-j4j7
• https://github.com/nubo-db/dynoxide/releases/tag/v0.9.13

Related

• GHSA-89vp-x53w-74fx

CVSS Score

8.8 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Patched

• >=0.9.13

Unaffected

• <0.9.3

Description

dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive rmcp dependency, plus a related cross-origin CSRF gap.

A malicious web page could make the user's browser send requests to a local dynoxide mcp --http or dynoxide serve --mcp server with a non-loopback Host header, which the server would then process. The Host check alone did not close a related cross-origin CSRF vector: a page could fetch the loopback endpoint with mode: 'no-cors', and the Host header would match while the Origin header went unchecked.

Affected MCP write tools include put_item, update_item, delete_item, create_table, and batch_write_item.

The stdio transport (dynoxide mcp without --http) is not affected.

Patches

dynoxide 0.9.13 closes both vectors:

• Upgrades rmcp from 1.1.1 to 1.6.0 (which ships a default Host-header allowlist).
• Sets explicit allowed_hosts and allowed_origins on StreamableHttpServerConfig.

Advisory available under CC0-1.0 license.