{
  "variant_id": "CVE-2026-34742-SSEHandler-Bypass",
  "validation_timestamp": "2026-04-04T13:00:00Z",
  "verdict": "confirmed_distinct_variant",
  "verdict_notes": "Three bypasses confirmed: (1) SSEHandler in v1.4.0 lacks DNS rebinding protection entirely - complete bypass of the fix; (2) DisableLocalhostProtection option allows intentional bypass; (3) MCPGODEBUG env variable allows bypass. The SSEHandler bypass is the most critical as it represents an unpatched code path in the supposedly fixed version.",
  "bypass_type": "incomplete_fix_coverage",
  "bypass_details": "The v1.4.0 fix only applied DNS rebinding protection to StreamableHTTPHandler but failed to apply the same protection to SSEHandler. This represents an incomplete fix where one HTTP handler was secured while another identical handler was left vulnerable.",
  "tested_variants": [
    {
      "variant_name": "SSEHandler DNS Rebinding",
      "result": "confirmed",
      "evidence": "SSEHandler accepted requests with Host: attacker.com (HTTP 404) identically to localhost requests (HTTP 404), showing no protection is present"
    },
    {
      "variant_name": "DisableLocalhostProtection Option",
      "result": "confirmed",
      "evidence": "Server with DisableLocalhostProtection: true accepted requests with evil.com Host header (HTTP 200, not 403)"
    },
    {
      "variant_name": "MCPGODEBUG Environment Variable",
      "result": "confirmed",
      "evidence": "Server with MCPGODEBUG=disablelocalhostprotection=1 accepted requests with attacker-controlled.com Host header (HTTP 200, not 403)"
    }
  ],
  "tested_versions": [
    {
      "version": "v1.3.0",
      "commit_sha": "6b75899fd7dbc168b44b9403b7556be077f88fee",
      "result": "vulnerable_to_original_attack"
    },
    {
      "version": "v1.4.0",
      "commit_sha": "c9317fb5b75328ca2faeaf8ea0e23a53c37de49f",
      "result": "bypass_confirmed",
      "notes": "Fixed for StreamableHTTPHandler but SSEHandler remains vulnerable"
    }
  ],
  "recommendations": [
    "Apply DNS rebinding protection to SSEHandler.ServeHTTP()",
    "Add audit logging when protection is disabled",
    "Document security implications of disable options",
    "Add automated tests for all HTTP handlers"
  ],
  "blocking_mitigation": null,
  "claim_block_reason": null
}