Main Vulnerability Database SB2026041041

SB2026041041 - IBM watsonx.data update for MCP Python SDK (mcp)

Published: April 10, 2026

Security Bulletin ID SB2026041041

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Insecure dfefault initialization of resource (CVE-ID: CVE-2025-66416)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to software does not enable DNS rebinding protection by default for HTTP-based servers. A remote attacker can trick the victim into visiting a malicious website and to bypass same-origin policy restrictions by exploiting DNS rebinding and initiate requests to the local MCP server.

Successful exploitation of the vulnerability requires that an HTTP-based MCP server is running on the localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured TransportSecuritySettings.

Remediation

Install update from vendor's website.

References

https://www.ibm.com/support/pages/node/7268889