A high-severity vulnerability affecting mcp versions , the deprecated WebSocket server transport (`mcp, CVE-2026-59950 with a CVSS score of 7.6, exists in the MCP Python SDK's WebSocket server transport due to its lack of Host/Origin validation. This allows an attacker to connect from any origin and issue JSON-RPC requests on the resulting session, potentially leading to unauthorized access and data exposure if the server exposes sensitive resources. The vulnerability affects versions prior to 1.28.1, while version 1.28.1 or later includes optional security settings for Host/Origin validation that require explicit configuration to enable protection. This flaw is related to CWE-346 and CWE-1385, and its attack vector is network-based (AV:N). The business impact of this vulnerability is significant, as it could allow an attacker to access sensitive resources on the server, potentially leading to data breaches or other security incidents.
We recommend you to upgrade MCP to version 1.28.1.[/subscribe_to_unlock_form]
A high-severity vulnerability affecting mcp versions , the deprecated WebSocket server transport (`mcp, CVE-2026-59950 with a CVSS score of 7.6, exists in the MCP Python SDK's WebSocket server transport due to its lack of Host/Origin validation. This allows an attacker to connect from any origin and issue JSON-RPC requests on the resulting session, potentially leading to unauthorized access and data exposure if the server exposes sensitive resources. The vulnerability affects versions prior to 1.28.1, while version 1.28.1 or later includes optional security settings for Host/Origin validation that require explicit configuration to enable protection. This flaw is related to CWE-346 and CWE-1385, and its attack vector is network-based (AV:N). The business impact of this vulnerability is significant, as it could allow an attacker to access sensitive resources on the server, potentially leading to data breaches or other security incidents.
We recommend you to upgrade MCP to version 1.28.1.[emaillocker id="1283"]
The following reports contain further technical details:
[/emaillocker]