# [CRIT] [GHSA / CRITICAL] CVE-2026-11718: googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken) **Source:** GitHub Security Advisories **Published:** 2026-06-18 **Article:** https://github.com/advisories/GHSA-wcpr-6g7x-p44r ## Threat Profile googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken) An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp struct where the Active field is declared as a pointer to a boolean (*bool). The code… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-11717` - **CVE:** `CVE-2026-11718` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1528** — Steal Application Access Token - **T1098.001** — Account Manipulation: Additional Cloud Credentials ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Vulnerable googleapis/mcp-toolbox (< 1.4.0) — CVE-2026-11718 opaque-token auth bypass present `UC_44_2` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where (Vulnerabilities.cve="CVE-2026-11717" OR Vulnerabilities.cve="CVE-2026-11718" OR Vulnerabilities.signature="*mcp-toolbox*") by Vulnerabilities.dest, Vulnerabilities.cve, Vulnerabilities.signature, Vulnerabilities.severity | `drop_dm_object_name(Vulnerabilities)` | convert ctime(firstTime) ctime(lastTime) | sort 0 + dest ``` **Defender KQL:** ```kql DeviceTvmSoftwareVulnerabilities | where Timestamp > ago(1d) | where CveId in ("CVE-2026-11717", "CVE-2026-11718") | where SoftwareVendor has "google" or SoftwareName has_any ("mcp-toolbox", "toolbox") | summarize arg_max(Timestamp, *) by DeviceId, CveId | project Timestamp, DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate | sort by DeviceName asc ``` ### Internet-facing host running vulnerable mcp-toolbox (< 1.4.0) — exposed auth-bypass surface `UC_44_3` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count from datamodel=Vulnerabilities where (Vulnerabilities.signature="*mcp-toolbox*" OR Vulnerabilities.cve="CVE-2026-11717" OR Vulnerabilities.cve="CVE-2026-11718") by Vulnerabilities.dest, Vulnerabilities.signature, Vulnerabilities.cve | `drop_dm_object_name(Vulnerabilities)` | lookup asset_lookup dest OUTPUT category as asset_category | search asset_category="*internet*" | sort 0 + dest ``` **Defender KQL:** ```kql DeviceTvmSoftwareInventory | where Timestamp > ago(1d) | where SoftwareName has_any ("mcp-toolbox", "toolbox") and SoftwareVendor has "google" | extend CleanVer = trim_start(@"[vV]", SoftwareVersion) | where CleanVer matches regex @"^\d+(\.\d+)+" | where parse_version(CleanVer) < parse_version("1.4.0") | summarize arg_max(Timestamp, *) by DeviceId, SoftwareName | join kind=inner (DeviceInfo | where Timestamp > ago(1d) | summarize arg_max(Timestamp, *) by DeviceId) on DeviceId | where IsInternetFacing == true | project Timestamp, DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, IsInternetFacing, PublicIP | sort by DeviceName asc ``` ### OAuth consent / suspicious app grant `UC_OAUTH_ABUSE` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication.Authentication where Authentication.action="success" AND Authentication.signature IN ( "Consent to application", "Add app role assignment grant to user", "Add OAuth2PermissionGrant", "Add delegated permission grant") by Authentication.user, Authentication.app, Authentication.src, Authentication.signature | `drop_dm_object_name(Authentication)` ``` **Defender KQL:** ```kql CloudAppEvents | where Timestamp > ago(7d) | where ActionType in ("Consent to application.","Add OAuth2PermissionGrant.","Add delegated permission grant.") | project Timestamp, AccountObjectId, AccountDisplayName, ActivityType, ActivityObjects, IPAddress, UserAgent ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-11717`, `CVE-2026-11718` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 3 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.