# CVE-2026-34742

## Summary

Go MCP SDK DNS Rebinding - Server-Side Request Forgery on AI Infrastructure

## Description

DNS Rebinding vulnerability in Go MCP SDK < 1.4.0 allows attackers to bypass 127.0.0.1/localhost protection via DNS manipulation. Attack: 1) Attacker controls DNS and resolves malicious domain to their IP, 2) Sends MCP request claiming localhost origin, 3) MCP server accepts the connection based on DNS, 4) Attacker changes DNS to point to real malicious IP, 5) Server connects to attacker-controlled endpoint thinking it's localhost. Result: SSRF, credential theft, internal network access. Affects: Go MCP SDK < 1.4.0. Fixed: v1.4.0 added DNS rebinding protection. CVSS: 8.1. Reproduction: Clone go-mcp-sdk v1.3.0, build example server, simulate DNS rebinding with /etc/hosts manipulation, observe server connecting to attacker IP.

## Metadata

- Product: go-mcp-sdk
- Severity: high
- Status: open