{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/go-mcp-sdk/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33252","cross-site request forgery","go-mcp-sdk"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Go MCP SDK, utilizing Go\u0026rsquo;s standard \u003ccode\u003eencoding/json\u003c/code\u003e, was found to have a vulnerability related to cross-site request handling. Specifically, versions prior to 1.4.1 of the SDK\u0026rsquo;s Streamable HTTP transport accepted browser-generated cross-site \u003ccode\u003ePOST\u003c/code\u003e requests without proper validation. The absence of \u003ccode\u003eOrigin\u003c/code\u003e header validation and the lack of a requirement for \u003ccode\u003eContent-Type: application/json\u003c/code\u003e created a security gap. In deployments lacking robust authorization mechanisms, particularly those…\u003c/p\u003e\n","date_modified":"2026-03-24T00:16:30Z","date_published":"2026-03-24T00:16:30Z","id":"/briefs/2024-01-01-go-mcp-cve/","summary":"The Go MCP SDK before v1.4.1 is vulnerable to cross-site POST requests due to insufficient origin validation and content type enforcement, potentially leading to arbitrary tool execution on local servers in stateless or sessionless deployments.","title":"Go MCP SDK Vulnerable to Cross-Site POST Requests (CVE-2026-33252)","url":"https://feed.craftedsignal.io/briefs/2024-01-01-go-mcp-cve/"}],"language":"en","title":"CraftedSignal Threat Feed — Go-Mcp-Sdk","version":"https://jsonfeed.org/version/1.1"}