Go MCP SDK Vulnerable to Cross-Site POST Requests (CVE-2026-33252)
The Go MCP SDK before v1.4.1 is vulnerable to cross-site POST requests due to insufficient origin validation and content type enforcement, potentially leading to arbitrary tool execution on local servers in stateless or sessionless deployments.
The Go MCP SDK, utilizing Go’s standard encoding/json, was found to have a vulnerability related to cross-site request handling. Specifically, versions prior to 1.4.1 of the SDK’s Streamable HTTP transport accepted browser-generated cross-site POST requests without proper validation. The absence of Origin header validation and the lack of a requirement for Content-Type: application/json created a security gap. In deployments lacking robust authorization mechanisms, particularly those…
Detection coverage 1
Detect Go MCP SDK CVE-2026-33252 Exploitation Attempt via HTTP POST
highDetects potential exploitation attempts of CVE-2026-33252 in Go MCP SDK based on suspicious HTTP POST requests lacking 'Content-Type: application/json'.
Detection queries are kept inside the platform. Get full rules →