<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mcp Python SDK (&lt; 1.28.1) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/mcp-python-sdk--1.28.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 20:17:38 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/mcp-python-sdk--1.28.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>MCP Python SDK WebSocket Server Lacks Host/Origin Validation</title><link>https://feed.craftedsignal.io/briefs/2026-07-mcp-websocket-vulnerability/</link><pubDate>Thu, 16 Jul 2026 20:17:38 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-mcp-websocket-vulnerability/</guid><description>A high-severity vulnerability (CVE-2026-59950) in the deprecated `mcp.server.websocket.websocket_server` component of the MCP Python SDK allows malicious webpages to bypass same-origin policy and establish unauthorized WebSocket connections, enabling attackers to invoke server tools and read resources from affected local or LAN-bound MCP servers.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, identified as CVE-2026-59950, exists in versions of the MCP Python SDK prior to 1.28.1. Specifically, the deprecated <code>mcp.server.websocket.websocket_server</code> component, which handles WebSocket server transport, fails to perform <code>Host</code> or <code>Origin</code> header validation during the WebSocket handshake. This oversight allows cross-origin WebSocket upgrade requests, typically blocked by browser same-origin policies, to be accepted by the server without inspection. A developer must have manually wired this deprecated transport into an ASGI application, as it is not part of the standard MCP specification nor reachable through <code>FastMCP</code>. The vulnerability enables a malicious webpage to open an unauthorized WebSocket connection to a reachable MCP server instance, potentially allowing for the enumeration and invocation of server-side tools and the reading of resources, depending on the server's exposed functionalities. This issue primarily affects users running MCP servers bound to localhost or local area network addresses without external authentication or origin validation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A user navigates to a malicious webpage controlled by an attacker.</li>
<li>The malicious webpage, served from any origin, attempts to establish a WebSocket connection to a local or LAN-accessible MCP server running the vulnerable <code>mcp.server.websocket.websocket_server</code> transport on the user's system (e.g., <code>ws://localhost:XXXX/mcp/ws</code>).</li>
<li>The MCP server, due to the lack of <code>Host</code> and <code>Origin</code> header validation in its <code>websocket_server()</code> implementation, accepts the cross-origin WebSocket handshake from the malicious webpage.</li>
<li>A Starlette <code>WebSocket</code> connection is established, and the <code>initialize</code> handshake is completed without requiring any token or prior session.</li>
<li>The malicious webpage sends JSON-RPC requests over the established WebSocket connection to the MCP server.</li>
<li>The MCP server processes these unauthorized JSON-RPC requests, allowing the malicious webpage to invoke server-side tools and read sensitive resources exposed by the server.</li>
<li>The final impact depends on the specific functionalities exposed by the exploited MCP server, potentially leading to information disclosure or arbitrary command execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-59950 can allow a malicious webpage to establish an unauthorized WebSocket connection to a vulnerable MCP server running on the victim's localhost or local area network. If the server is exposed without additional authentication or origin gates, the malicious webpage can enumerate and invoke the server's tools and read its resources. The direct consequences of exploitation are entirely dependent on the specific functionalities and data exposed by the MCP server instance. For instance, if the server exposes sensitive tools or configuration data, an attacker could potentially execute arbitrary commands or exfiltrate confidential information. While some browsers may prompt a user before allowing connections to local network addresses, this user interaction is not a substitute for robust server-side validation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>mcp</code> Python SDK to version 1.28.1 or later to apply the patch for CVE-2026-59950.</li>
<li>Configure <code>TransportSecuritySettings</code> with <code>enable_dns_rebinding_protection=True</code> and appropriate <code>allowed_hosts</code> and <code>allowed_origins</code> when initializing <code>websocket_server()</code> to enable proper Host/Origin header validation.</li>
<li>Migrate off the deprecated <code>websocket_server()</code> transport to <code>Streamable HTTP</code> where <code>FastMCP</code> automatically provides protection for localhost binds.</li>
<li>Ensure that any MCP server instances exposed to networks (even local) are protected by a separate authentication or origin validation layer.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>server-side</category><category>websocket</category><category>python</category><category>supply-chain</category></item></channel></rss>