A critical vulnerability in the Go MCP SDK exposes AI agent deployments to DNS rebinding attacks when using Go's standard encoding/json package prior to version 1.4.0. Disclosed as CVE-2026-34742, this flaw allows attackers to bypass same-origin protections and interact with internal services that agents are configured to trust. For operators running MCP servers in production environments, this is a direct path from a compromised external resource to unauthorized local API access.
How DNS Rebinding Attacks MCP Infrastructure
DNS rebinding exploits the gap between DNS resolution time and a connection's lifetime. An attacker controls a domain that first resolves to an external IP (bypassing CORS and same-origin checks), then rapidly switches its DNS record to an internal IP address. Because the browser or HTTP client treats the connection as same-origin based on the original resolution, it permits requests to internal services that should never be reachable from the outside.
In the context of MCP, this is particularly dangerous. MCP servers frequently bridge LLMs to local tools, filesystems, and internal APIs. The Go MCP SDK's use of encoding/json prior to version 1.4.0 created conditions where JSON parsing from an untrusted MCP server response could be paired with a DNS-rebound connection, giving an attacker a foothold inside the agent's trusted compute boundary. Once inside, the attacker can invoke tools, exfiltrate data, or pivot to other internal services.
Why This Vulnerability Is Urgent for Agent Operators
AI agents operate with elevated trust by design. An MCP server configured in mcp.json or equivalent is explicitly granted tool-calling privileges. When that server is reached over HTTP — whether directly or through an intermediary — DNS rebinding subverts the assumption that "external" means "untrusted."
The real-world risk is supply-chain and tool-poisoning combined. An attacker does not need to compromise your infrastructure directly. They only need to convince your agent to fetch an MCP server resource from a domain they control. If that domain's DNS later resolves to localhost or an internal service, the agent's HTTP client may forward authenticated requests to APIs that trust localhost connections. In cloud deployments, this can expose metadata services, kubelet endpoints, or internal admin panels.
The severity is high because the attack is silent, requires no user interaction after configuration, and exploits a standard library behavior that many developers assume is safe.
Defensive Measures and Detection
Operators should enforce three layers of defense: strict DNS pinning, network segmentation, and request validation.
1. Pin DNS resolution to prevent rebinding
Go's net/http allows custom DialContext behavior. Pin the resolved IP before the request is sent, and reject any resolution that changes mid-connection:
transport := &http.Transport{
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
host, port, err := net.SplitHostPort(addr)
if err != nil {
return nil, err
}
ips, err := net.LookupIP(host)
if err != nil {
return nil, err
}
for _, ip := range ips {
if ip.IsLoopback() || ip.IsPrivate() {
return nil, fmt.Errorf("private IP blocked: %s", ip)
}
}
return net.Dial(network, net.JoinHostPort(ips[0].String(), port))
},
}
client := &http.Client{Transport: transport}
2. Segment MCP server networks
Run MCP servers in isolated network namespaces. Even if DNS rebinding reaches an internal IP, that IP should not resolve to a production service. Use container networks, reverse proxies, or service meshes to enforce that MCP traffic never shares a network path with sensitive internal APIs.
3. Validate request targets explicitly
Before any MCP tool invocation, validate that the resolved endpoint matches an allowlist. Do not rely on DNS names alone — resolve and verify IPs against known-good ranges. If your MCP server configuration resembles the VS Code mcp.json pattern, add a pre-flight check in your agent's initialization logic:
{
"servers": {
"filesystem": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "${workspaceFolder}"],
"allowedNetworks": ["127.0.0.1/32"]
}
}
}
Immediate Actions for Teams
- Audit all Go MCP SDK deployments and upgrade to version 1.4.0 or later. The fix addresses the
encoding/jsoninteraction that enabled this attack path. - Review any custom HTTP transports in your agent stack. If you use
net/httpdirectly, apply the DNS pinning pattern above. - Inspect firewall and container network rules. MCP servers should not have unrestricted egress or access to internal service discovery endpoints.
- Add logging for DNS resolution changes and private-IP connections initiated by agent processes. Anomalies here are early indicators of rebinding attempts.
This vulnerability is a reminder that AI agent security is endpoint security. The MCP protocol creates powerful bridges between models and systems — but every bridge is also a potential crossing point for attackers. Hardening DNS behavior, isolating server networks, and validating every resolved address are essential steps in keeping that crossing closed.
Key Takeaways
DNS rebinding is not a new attack, but its intersection with MCP infrastructure makes CVE-2026-34742 a concrete risk for production agent deployments. The vulnerability exploits trust placed in external MCP resources to reach internal services. Upgrading the Go MCP SDK, pinning DNS resolutions, and segmenting networks are the immediate priorities. For ongoing protection, treat every MCP server connection as untrusted until its resolved endpoint is explicitly verified.
