## Model Context Protocol Java SDK Contains Reachable High-Severity Vulnerability as AI Tool Integrations Expand Security scanning has identified two vulnerabilities in the Model Context Protocol (MCP) Java SDK version 0.16.0, with the highest reaching a CVSS score of 8.1 and marked as reachable. The flaws reside in the mcp-core-0.16.0.jar transitive dependency, which the SDK relies upon to enable seamless integration between language models and AI tools. Neither vulnerability currently has a remediation path or fix version available. The most severe flaw, tracked as CVE-2026-35568, carries a CVSS score of 8.1 and is flagged as exploitable through reachable attack vectors. A second medium-severity vulnerability, CVE-2026-34237 (CVSS 6.1), was also identified in the same dependency chain. Both issues stem from the mcp-core library rather than the primary SDK package, meaning they propagate through the software supply chain via Maven dependency declarations found in /packages/server/pom.xml. The Model Context Protocol serves as a standardized framework enabling AI systems to connect with external tools and data sources, making these vulnerabilities particularly concerning as adoption of MCP-based integrations continues to grow. Organizations using this specific version of the MCP Java SDK face potential risk if the reachable vulnerability can be triggered through malicious inputs or manipulated tool interactions. Security teams should monitor the Mend vulnerability database for updates regarding available patches, consider dependency pinning strategies, and evaluate compensating controls around AI tool integration endpoints. The EPSS score for these vulnerabilities remains below 1%, suggesting limited active exploitation in the wild at present, though this landscape could shift as MCP adoption accelerates across enterprise AI deployments. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: vulnerability, CVE-2026-35568, CVE-2026-34237, MCP, Java SDK - **Credibility**: unverified - **Published**: 2026-04-29 01:54:09 - **ID**: 78021 - **URL**: https://whisperx.ai/en/intel/78021