What happened
The MCP Python SDK's legacy WebSocket transport lacked any SDK-level mechanism to restrict which origins could establish a connection, exposing local MCP servers to browser-based cross-origin attacks.
Why it matters
This is a classic cross-site WebSocket hijacking pattern applied to agentic tool servers — a malicious webpage can silently connect to and command a locally running MCP server (e.g. one wired to a developer's coding agent), turning ordinary web browsing into a path to tool-call abuse.
Attack vector
The deprecated mcp.server.websocket.websocket_server transport accepted WebSocket handshakes without validating Host or Origin headers, meaning any website a victim's browser visits could open a WebSocket connection to a locally-running MCP server and interact with it as if it were an authorized client.
Affected systems
MCP Python SDK (mcp on PyPI) prior to 1.28.1
Mitigation
Upgrade to MCP Python SDK 1.28.1 or later; avoid the deprecated websocket transport.