Advisory
cargo audit flags RUSTSEC-2026-0189 — a DNS-rebinding vulnerability (CVSS 8.8 high) in rmcp's Streamable HTTP server transport.
Why it's not fixed in this pass
The fix is a breaking major-version bump (0.9 → 1.4) that requires code changes in auths-mcp-gateway (and any other rmcp consumers) to match the new API. That's out of scope for the device-delegation / duplicity work landing now.
Temporary mitigation
The advisory is ignored in .cargo/audit.toml so CI's cargo audit gate is not blocked by a dependency upgrade unrelated to the current PRs. This is safe to ship short-term only if the MCP Streamable-HTTP server transport is not exposed to untrusted origins in how auths runs it — confirm and, if it is, prioritize the upgrade.
Action
Advisory
cargo auditflags RUSTSEC-2026-0189 — a DNS-rebinding vulnerability (CVSS 8.8 high) inrmcp's Streamable HTTP server transport.rmcp0.9.1rmcp 0.9.1 → auths-mcp-gatewayrmcp >= 1.4.0Why it's not fixed in this pass
The fix is a breaking major-version bump (
0.9 → 1.4) that requires code changes inauths-mcp-gateway(and any otherrmcpconsumers) to match the new API. That's out of scope for the device-delegation / duplicity work landing now.Temporary mitigation
The advisory is ignored in
.cargo/audit.tomlso CI'scargo auditgate is not blocked by a dependency upgrade unrelated to the current PRs. This is safe to ship short-term only if the MCP Streamable-HTTP server transport is not exposed to untrusted origins in how auths runs it — confirm and, if it is, prioritize the upgrade.Action
rmcpto>= 1.4.0auths-mcp-gateway(and any other consumers) to the new APIRUSTSEC-2026-0189from.cargo/audit.toml