Skip to content

Upgrade rmcp 0.9.1 → 1.4+ (RUSTSEC-2026-0189: DNS rebinding, 8.8 high) #362

Description

@bordumb

Advisory

cargo audit flags RUSTSEC-2026-0189 — a DNS-rebinding vulnerability (CVSS 8.8 high) in rmcp's Streamable HTTP server transport.

Why it's not fixed in this pass

The fix is a breaking major-version bump (0.9 → 1.4) that requires code changes in auths-mcp-gateway (and any other rmcp consumers) to match the new API. That's out of scope for the device-delegation / duplicity work landing now.

Temporary mitigation

The advisory is ignored in .cargo/audit.toml so CI's cargo audit gate is not blocked by a dependency upgrade unrelated to the current PRs. This is safe to ship short-term only if the MCP Streamable-HTTP server transport is not exposed to untrusted origins in how auths runs it — confirm and, if it is, prioritize the upgrade.

Action

  • Upgrade rmcp to >= 1.4.0
  • Update auths-mcp-gateway (and any other consumers) to the new API
  • Remove RUSTSEC-2026-0189 from .cargo/audit.toml

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions