Vulnerability  ·  2026-07-17

MCP Python SDK — Deprecated WebSocket Transport Lacks Host/Origin Validation

VulnerabilityHigh impactGlobalCVE-2026-59950
The MCP Python SDK's legacy WebSocket transport lacked any SDK-level mechanism to restrict which origins could establish a connection, exposing local MCP servers to browser-based cross-origin attacks.
This is a classic cross-site WebSocket hijacking pattern applied to agentic tool servers — a malicious webpage can silently connect to and command a locally running MCP server (e.g. one wired to a developer's coding agent), turning ordinary web browsing into a path to tool-call abuse.
The deprecated mcp.server.websocket.websocket_server transport accepted WebSocket handshakes without validating Host or Origin headers, meaning any website a victim's browser visits could open a WebSocket connection to a locally-running MCP server and interact with it as if it were an authorized client.
MCP Python SDK (mcp on PyPI) prior to 1.28.1
Upgrade to MCP Python SDK 1.28.1 or later; avoid the deprecated websocket transport.
NVD CVE-2026-59950
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →