MCP Python SDK WebSocket Server Lacks Host/Origin Validation
A high-severity vulnerability (CVE-2026-59950) in the deprecated `mcp.server.websocket.websocket_server` component of the MCP Python SDK allows malicious webpages to bypass same-origin policy and establish unauthorized WebSocket connections, enabling attackers to invoke server tools and read resources from affected local or LAN-bound MCP servers.
A high-severity vulnerability, identified as CVE-2026-59950, exists in versions of the MCP Python SDK prior to 1.28.1. Specifically, the deprecated mcp.server.websocket.websocket_server component, which handles WebSocket server transport, fails to perform Host or Origin header validation during the WebSocket handshake. This oversight allows cross-origin WebSocket upgrade requests, typically blocked by browser same-origin policies, to be accepted by the server without inspection. A developer must have manually wired this deprecated transport into an ASGI application, as it is not part of the standard MCP specification nor reachable through FastMCP. The vulnerability enables a malicious webpage to open an unauthorized WebSocket connection to a reachable MCP server instance, potentially allowing for the enumeration and invocation of server-side tools and the reading of resources, depending on the server's exposed functionalities. This issue primarily affects users running MCP servers bound to localhost or local area network addresses without external authentication or origin validation.
Attack Chain
- A user navigates to a malicious webpage controlled by an attacker.
- The malicious webpage, served from any origin, attempts to establish a WebSocket connection to a local or LAN-accessible MCP server running the vulnerable
mcp.server.websocket.websocket_servertransport on the user's system (e.g.,ws://localhost:XXXX/mcp/ws). - The MCP server, due to the lack of
HostandOriginheader validation in itswebsocket_server()implementation, accepts the cross-origin WebSocket handshake from the malicious webpage. - A Starlette
WebSocketconnection is established, and theinitializehandshake is completed without requiring any token or prior session. - The malicious webpage sends JSON-RPC requests over the established WebSocket connection to the MCP server.
- The MCP server processes these unauthorized JSON-RPC requests, allowing the malicious webpage to invoke server-side tools and read sensitive resources exposed by the server.
- The final impact depends on the specific functionalities exposed by the exploited MCP server, potentially leading to information disclosure or arbitrary command execution.
Impact
The successful exploitation of CVE-2026-59950 can allow a malicious webpage to establish an unauthorized WebSocket connection to a vulnerable MCP server running on the victim's localhost or local area network. If the server is exposed without additional authentication or origin gates, the malicious webpage can enumerate and invoke the server's tools and read its resources. The direct consequences of exploitation are entirely dependent on the specific functionalities and data exposed by the MCP server instance. For instance, if the server exposes sensitive tools or configuration data, an attacker could potentially execute arbitrary commands or exfiltrate confidential information. While some browsers may prompt a user before allowing connections to local network addresses, this user interaction is not a substitute for robust server-side validation.
Recommendation
- Upgrade the
mcpPython SDK to version 1.28.1 or later to apply the patch for CVE-2026-59950. - Configure
TransportSecuritySettingswithenable_dns_rebinding_protection=Trueand appropriateallowed_hostsandallowed_originswhen initializingwebsocket_server()to enable proper Host/Origin header validation. - Migrate off the deprecated
websocket_server()transport toStreamable HTTPwhereFastMCPautomatically provides protection for localhost binds. - Ensure that any MCP server instances exposed to networks (even local) are protected by a separate authentication or origin validation layer.