Vulnerability DatabaseCVE-2026-34742

CVE-2026-34742:
MinimOS vulnerability analysis and mitigation

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPHandler or SSEHandler, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. This issue has been patched in version 1.4.0.

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

7.6

Score

Published April 2, 2026

Severity HIGH

CNA Score 7.6

Affected Technologies

MinimOS

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 17.4

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

github.com/modelcontextprotocol/go-sdk
datadog-agent-7

Sources

NVD
GitHub Advisory Database
- GoLang Severity HIGHHas FixAdded at: Apr 02, 2026
Minimus
- MinimOS Severity HIGHHas FixAdded at: Apr 05, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related MinimOS vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-40611	HIGH	8.8	Wolfi	traefik-3.6	No	Yes	Apr 16, 2026
CVE-2026-35469	HIGH	8.7	containerd	redis-operator	No	Yes	Apr 16, 2026
CVE-2026-31987	HIGH	7.5	Apache Airflow	airflow-3	No	Yes	Apr 16, 2026
CVE-2026-40293	MEDIUM	6.5	Wolfi	openfga	No	Yes	Apr 17, 2026
CVE-2026-27820	LOW	1.7	Ruby	ruby2.5-devel-extra	No	Yes	Apr 16, 2026