Skip to content
Threat Feed

Vendor

Mcp

3 briefs RSS
high advisory

MCP Python SDK WebSocket Server Lacks Host/Origin Validation

A high-severity vulnerability (CVE-2026-59950) in the deprecated `mcp.server.websocket.websocket_server` component of the MCP Python SDK allows malicious webpages to bypass same-origin policy and establish unauthorized WebSocket connections, enabling attackers to invoke server tools and read resources from affected local or LAN-bound MCP servers.

mcp Python SDK vulnerability server-side websocket python supply-chain
2t 1c
high advisory

MCP Python SDK Authentication Bypass Vulnerability (CVE-2026-52869)

A high-severity authentication bypass vulnerability, CVE-2026-52869, exists in affected versions of the MCP Python SDK's HTTP transports, allowing an attacker who obtains or guesses a session ID to send JSON-RPC messages to an existing session without verifying the authenticated principal, thereby bypassing per-client isolation and potentially injecting messages.

MCP Python SDK <= 1.27.1 vulnerability authentication-bypass python sdk web-application
1t 1c
medium advisory

MCP Python SDK Vulnerability Allows Cross-Client Task Access and Cancellation (CVE-2026-52870)

A high-severity vulnerability (CVE-2026-52870) in the MCP Python SDK's experimental task handlers, specifically in versions 1.23.0 through 1.27.1, allows any connected client to observe, read results from, and cancel tasks belonging to other clients due to a lack of session validation, potentially leading to unauthorized data access and denial of service.

mcp vulnerability server-side-request-forgery data-exfiltration denial-of-service
3t 1c