{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mcp-python-sdk--1.28.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-59950"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mcp Python SDK (\u003c 1.28.1)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","server-side","websocket","python","supply-chain"],"_cs_type":"advisory","_cs_vendors":["mcp"],"content_html":"\u003cp\u003eA high-severity vulnerability, identified as CVE-2026-59950, exists in versions of the MCP Python SDK prior to 1.28.1. Specifically, the deprecated \u003ccode\u003emcp.server.websocket.websocket_server\u003c/code\u003e component, which handles WebSocket server transport, fails to perform \u003ccode\u003eHost\u003c/code\u003e or \u003ccode\u003eOrigin\u003c/code\u003e header validation during the WebSocket handshake. This oversight allows cross-origin WebSocket upgrade requests, typically blocked by browser same-origin policies, to be accepted by the server without inspection. A developer must have manually wired this deprecated transport into an ASGI application, as it is not part of the standard MCP specification nor reachable through \u003ccode\u003eFastMCP\u003c/code\u003e. The vulnerability enables a malicious webpage to open an unauthorized WebSocket connection to a reachable MCP server instance, potentially allowing for the enumeration and invocation of server-side tools and the reading of resources, depending on the server's exposed functionalities. This issue primarily affects users running MCP servers bound to localhost or local area network addresses without external authentication or origin validation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user navigates to a malicious webpage controlled by an attacker.\u003c/li\u003e\n\u003cli\u003eThe malicious webpage, served from any origin, attempts to establish a WebSocket connection to a local or LAN-accessible MCP server running the vulnerable \u003ccode\u003emcp.server.websocket.websocket_server\u003c/code\u003e transport on the user's system (e.g., \u003ccode\u003ews://localhost:XXXX/mcp/ws\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe MCP server, due to the lack of \u003ccode\u003eHost\u003c/code\u003e and \u003ccode\u003eOrigin\u003c/code\u003e header validation in its \u003ccode\u003ewebsocket_server()\u003c/code\u003e implementation, accepts the cross-origin WebSocket handshake from the malicious webpage.\u003c/li\u003e\n\u003cli\u003eA Starlette \u003ccode\u003eWebSocket\u003c/code\u003e connection is established, and the \u003ccode\u003einitialize\u003c/code\u003e handshake is completed without requiring any token or prior session.\u003c/li\u003e\n\u003cli\u003eThe malicious webpage sends JSON-RPC requests over the established WebSocket connection to the MCP server.\u003c/li\u003e\n\u003cli\u003eThe MCP server processes these unauthorized JSON-RPC requests, allowing the malicious webpage to invoke server-side tools and read sensitive resources exposed by the server.\u003c/li\u003e\n\u003cli\u003eThe final impact depends on the specific functionalities exposed by the exploited MCP server, potentially leading to information disclosure or arbitrary command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-59950 can allow a malicious webpage to establish an unauthorized WebSocket connection to a vulnerable MCP server running on the victim's localhost or local area network. If the server is exposed without additional authentication or origin gates, the malicious webpage can enumerate and invoke the server's tools and read its resources. The direct consequences of exploitation are entirely dependent on the specific functionalities and data exposed by the MCP server instance. For instance, if the server exposes sensitive tools or configuration data, an attacker could potentially execute arbitrary commands or exfiltrate confidential information. While some browsers may prompt a user before allowing connections to local network addresses, this user interaction is not a substitute for robust server-side validation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003emcp\u003c/code\u003e Python SDK to version 1.28.1 or later to apply the patch for CVE-2026-59950.\u003c/li\u003e\n\u003cli\u003eConfigure \u003ccode\u003eTransportSecuritySettings\u003c/code\u003e with \u003ccode\u003eenable_dns_rebinding_protection=True\u003c/code\u003e and appropriate \u003ccode\u003eallowed_hosts\u003c/code\u003e and \u003ccode\u003eallowed_origins\u003c/code\u003e when initializing \u003ccode\u003ewebsocket_server()\u003c/code\u003e to enable proper Host/Origin header validation.\u003c/li\u003e\n\u003cli\u003eMigrate off the deprecated \u003ccode\u003ewebsocket_server()\u003c/code\u003e transport to \u003ccode\u003eStreamable HTTP\u003c/code\u003e where \u003ccode\u003eFastMCP\u003c/code\u003e automatically provides protection for localhost binds.\u003c/li\u003e\n\u003cli\u003eEnsure that any MCP server instances exposed to networks (even local) are protected by a separate authentication or origin validation layer.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T20:17:38Z","date_published":"2026-07-16T20:17:38Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mcp-websocket-vulnerability/","summary":"A high-severity vulnerability (CVE-2026-59950) in the deprecated `mcp.server.websocket.websocket_server` component of the MCP Python SDK allows malicious webpages to bypass same-origin policy and establish unauthorized WebSocket connections, enabling attackers to invoke server tools and read resources from affected local or LAN-bound MCP servers.","title":"MCP Python SDK WebSocket Server Lacks Host/Origin Validation","url":"https://feed.craftedsignal.io/briefs/2026-07-mcp-websocket-vulnerability/"}],"language":"en","title":"CraftedSignal Threat Feed - Mcp Python SDK (\u003c 1.28.1)","version":"https://jsonfeed.org/version/1.1"}