{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/mcp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-59950"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mcp Python SDK (\u003c 1.28.1)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","server-side","websocket","python","supply-chain"],"_cs_type":"advisory","_cs_vendors":["mcp"],"content_html":"\u003cp\u003eA high-severity vulnerability, identified as CVE-2026-59950, exists in versions of the MCP Python SDK prior to 1.28.1. Specifically, the deprecated \u003ccode\u003emcp.server.websocket.websocket_server\u003c/code\u003e component, which handles WebSocket server transport, fails to perform \u003ccode\u003eHost\u003c/code\u003e or \u003ccode\u003eOrigin\u003c/code\u003e header validation during the WebSocket handshake. This oversight allows cross-origin WebSocket upgrade requests, typically blocked by browser same-origin policies, to be accepted by the server without inspection. A developer must have manually wired this deprecated transport into an ASGI application, as it is not part of the standard MCP specification nor reachable through \u003ccode\u003eFastMCP\u003c/code\u003e. The vulnerability enables a malicious webpage to open an unauthorized WebSocket connection to a reachable MCP server instance, potentially allowing for the enumeration and invocation of server-side tools and the reading of resources, depending on the server's exposed functionalities. This issue primarily affects users running MCP servers bound to localhost or local area network addresses without external authentication or origin validation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user navigates to a malicious webpage controlled by an attacker.\u003c/li\u003e\n\u003cli\u003eThe malicious webpage, served from any origin, attempts to establish a WebSocket connection to a local or LAN-accessible MCP server running the vulnerable \u003ccode\u003emcp.server.websocket.websocket_server\u003c/code\u003e transport on the user's system (e.g., \u003ccode\u003ews://localhost:XXXX/mcp/ws\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe MCP server, due to the lack of \u003ccode\u003eHost\u003c/code\u003e and \u003ccode\u003eOrigin\u003c/code\u003e header validation in its \u003ccode\u003ewebsocket_server()\u003c/code\u003e implementation, accepts the cross-origin WebSocket handshake from the malicious webpage.\u003c/li\u003e\n\u003cli\u003eA Starlette \u003ccode\u003eWebSocket\u003c/code\u003e connection is established, and the \u003ccode\u003einitialize\u003c/code\u003e handshake is completed without requiring any token or prior session.\u003c/li\u003e\n\u003cli\u003eThe malicious webpage sends JSON-RPC requests over the established WebSocket connection to the MCP server.\u003c/li\u003e\n\u003cli\u003eThe MCP server processes these unauthorized JSON-RPC requests, allowing the malicious webpage to invoke server-side tools and read sensitive resources exposed by the server.\u003c/li\u003e\n\u003cli\u003eThe final impact depends on the specific functionalities exposed by the exploited MCP server, potentially leading to information disclosure or arbitrary command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-59950 can allow a malicious webpage to establish an unauthorized WebSocket connection to a vulnerable MCP server running on the victim's localhost or local area network. If the server is exposed without additional authentication or origin gates, the malicious webpage can enumerate and invoke the server's tools and read its resources. The direct consequences of exploitation are entirely dependent on the specific functionalities and data exposed by the MCP server instance. For instance, if the server exposes sensitive tools or configuration data, an attacker could potentially execute arbitrary commands or exfiltrate confidential information. While some browsers may prompt a user before allowing connections to local network addresses, this user interaction is not a substitute for robust server-side validation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003emcp\u003c/code\u003e Python SDK to version 1.28.1 or later to apply the patch for CVE-2026-59950.\u003c/li\u003e\n\u003cli\u003eConfigure \u003ccode\u003eTransportSecuritySettings\u003c/code\u003e with \u003ccode\u003eenable_dns_rebinding_protection=True\u003c/code\u003e and appropriate \u003ccode\u003eallowed_hosts\u003c/code\u003e and \u003ccode\u003eallowed_origins\u003c/code\u003e when initializing \u003ccode\u003ewebsocket_server()\u003c/code\u003e to enable proper Host/Origin header validation.\u003c/li\u003e\n\u003cli\u003eMigrate off the deprecated \u003ccode\u003ewebsocket_server()\u003c/code\u003e transport to \u003ccode\u003eStreamable HTTP\u003c/code\u003e where \u003ccode\u003eFastMCP\u003c/code\u003e automatically provides protection for localhost binds.\u003c/li\u003e\n\u003cli\u003eEnsure that any MCP server instances exposed to networks (even local) are protected by a separate authentication or origin validation layer.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T20:17:38Z","date_published":"2026-07-16T20:17:38Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mcp-websocket-vulnerability/","summary":"A high-severity vulnerability (CVE-2026-59950) in the deprecated `mcp.server.websocket.websocket_server` component of the MCP Python SDK allows malicious webpages to bypass same-origin policy and establish unauthorized WebSocket connections, enabling attackers to invoke server tools and read resources from affected local or LAN-bound MCP servers.","title":"MCP Python SDK WebSocket Server Lacks Host/Origin Validation","url":"https://feed.craftedsignal.io/briefs/2026-07-mcp-websocket-vulnerability/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-52869"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MCP Python SDK \u003c= 1.27.1"],"_cs_severities":["high"],"_cs_tags":["vulnerability","authentication-bypass","python","sdk","web-application"],"_cs_type":"advisory","_cs_vendors":["MCP"],"content_html":"\u003cp\u003eA significant authentication bypass vulnerability, identified as CVE-2026-52869, has been discovered in the MCP Python SDK versions up to 1.27.1. This flaw specifically impacts application servers using either the SSE (\u003ccode\u003emcp.server.sse.SseServerTransport\u003c/code\u003e) or Streamable HTTP (\u003ccode\u003emcp.server.streamable_http_manager.StreamableHTTPSessionManager\u003c/code\u003e) transports in stateful mode, particularly when authentication is configured. The vulnerability stems from the transports routing incoming requests to an existing session based solely on the session identifier (a query parameter or header), without validating that the request originates from the same authenticated principal who initially created the session. This oversight allows an attacker who can acquire or guess a session ID to inject unauthorized JSON-RPC messages into an active session, effectively bypassing the per-client isolation intended by authentication. The SSE transport has been affected since its initial release, while the Streamable HTTP transport became vulnerable in version 1.8.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Reconnaissance\u003c/strong\u003e: The attacker identifies a target application server utilizing the MCP Python SDK with HTTP transports (SSE or Streamable HTTP) and configured authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSession ID Acquisition\u003c/strong\u003e: The attacker obtains an active session ID for a legitimate user through out-of-band means such as sniffing network traffic, log compromise, or brute-forcing (session IDs are UUIDs, making brute-force difficult but not impossible).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCrafting Malicious Request\u003c/strong\u003e: The attacker crafts a request containing malicious JSON-RPC messages, including the obtained legitimate \u003ccode\u003esession_id\u003c/code\u003e (for SSE) or \u003ccode\u003eMcp-Session-Id\u003c/code\u003e header (for Streamable HTTP).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Bypass\u003c/strong\u003e: The attacker sends the malicious request to the vulnerable server. The server routes the request to the target session solely based on the session ID, bypassing principal authentication checks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMessage Injection\u003c/strong\u003e: The server processes the attacker's JSON-RPC messages within the context of the legitimate user's session, despite the request carrying a different or invalid bearer token.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact on Session\u003c/strong\u003e: The injected messages can alter the session state, perform unauthorized actions, or exfiltrate sensitive information, depending on the application's functionality.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResponse Delivery\u003c/strong\u003e: For SSE, the response to the injected message is delivered to the original legitimate client's event stream. For Streamable HTTP, the injecting client receives the response directly.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAchieve Objective\u003c/strong\u003e: The attacker successfully compromises session integrity, leading to unauthorized data manipulation or access, bypassing the intended per-client isolation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successfully exploited, CVE-2026-52869 allows an attacker to bypass critical per-client isolation mechanisms provided by authentication in application servers using the MCP Python SDK's HTTP transports. This means that an attacker, upon obtaining a valid session ID, can inject arbitrary JSON-RPC messages into another user's active session. The direct consequence is unauthorized access and potential manipulation of session-dependent data or functionality. While session IDs are randomly generated UUIDs, making blind guessing difficult, any out-of-band leakage (e.g., via logs, network observation, or cross-site scripting) would enable exploitation. The impact could range from data corruption or unauthorized information disclosure to complete account compromise, depending on the privileges associated with the compromised session and the capabilities of the JSON-RPC interface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003epip/mcp\u003c/code\u003e package to version 1.27.2 or later immediately to address CVE-2026-52869.\u003c/li\u003e\n\u003cli\u003eEnsure that, for deployments where many end users share a single OAuth client, the token verifier populates \u003ccode\u003eAccessToken.subject\u003c/code\u003e (e.g., from the token's \u003ccode\u003esub\u003c/code\u003e claim) to enforce per-user session isolation.\u003c/li\u003e\n\u003cli\u003eReview custom authentication backends, if used, to ensure they enforce equivalent principal verification checks as introduced in MCP Python SDK 1.27.2.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T19:59:49Z","date_published":"2026-07-16T19:59:49Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mcp-python-sdk-auth-bypass/","summary":"A high-severity authentication bypass vulnerability, CVE-2026-52869, exists in affected versions of the MCP Python SDK's HTTP transports, allowing an attacker who obtains or guesses a session ID to send JSON-RPC messages to an existing session without verifying the authenticated principal, thereby bypassing per-client isolation and potentially injecting messages.","title":"MCP Python SDK Authentication Bypass Vulnerability (CVE-2026-52869)","url":"https://feed.craftedsignal.io/briefs/2026-07-mcp-python-sdk-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.6,"id":"CVE-2026-52870"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mcp (\u003e= 1.23.0, \u003c= 1.27.1)"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","server-side-request-forgery","data-exfiltration","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["MCP"],"content_html":"\u003cp\u003eA significant vulnerability, tracked as CVE-2026-52870, has been identified in the experimental tasks feature of the MCP Python SDK, affecting versions 1.23.0 through 1.27.1. When developers explicitly enable this feature by calling \u003ccode\u003eserver.experimental.enable_tasks()\u003c/code\u003e, the default request handlers for tasks (\u003ccode\u003etasks/list\u003c/code\u003e, \u003ccode\u003etasks/get\u003c/code\u003e, \u003ccode\u003etasks/result\u003c/code\u003e, \u003ccode\u003etasks/cancel\u003c/code\u003e) fail to validate which client session created a specific task. This critical oversight allows any client connected to the server to enumerate, access, retrieve results from, and cancel tasks initiated by other clients. The impact includes unauthorized disclosure of task results and elicitation payloads, interception of messages intended for other clients, and potential denial of service by prematurely terminating ongoing tasks. This flaw presents a serious risk to multi-client applications utilizing the experimental task management functionality, enabling malicious clients to disrupt operations and exfiltrate sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes a connection to a server running the vulnerable MCP Python SDK application with \u003ccode\u003eserver.experimental.enable_tasks()\u003c/code\u003e enabled, posing as a legitimate client.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003etasks/list\u003c/code\u003e request to the server, which, due to the vulnerability, returns a list of all active tasks across all connected client sessions.\u003c/li\u003e\n\u003cli\u003eUsing the task identifiers obtained from the \u003ccode\u003etasks/list\u003c/code\u003e response, the attacker sends \u003ccode\u003etasks/get\u003c/code\u003e and \u003ccode\u003etasks/result\u003c/code\u003e requests to retrieve the status and outcomes of tasks belonging to other clients.\u003c/li\u003e\n\u003cli\u003eThe attacker may also retrieve queued task messages, such as elicitation requests, intended for other clients, effectively consuming messages and preventing the legitimate recipient from receiving them.\u003c/li\u003e\n\u003cli\u003eThe attacker can then analyze the sensitive data contained within these task results or messages.\u003c/li\u003e\n\u003cli\u003eAs a final step, the attacker sends \u003ccode\u003etasks/cancel\u003c/code\u003e requests for tasks identified in previous steps, terminating legitimate operations initiated by other clients, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eServers utilizing the affected MCP Python SDK versions (1.23.0 to 1.27.1) with the experimental tasks feature enabled are at risk. This vulnerability allows for unauthorized access to sensitive task results and elicitation payloads belonging to other clients, compromising data confidentiality. Furthermore, attackers can intercept messages meant for legitimate clients and disrupt service by canceling tasks, leading to operational downtime or data inconsistencies. The direct consequences could range from competitive intelligence gathering to sabotage of critical business processes, particularly in environments where multiple clients interact with shared server resources. The number of directly affected organizations depends on the adoption rate of this specific experimental and opt-in feature.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the MCP Python SDK to version 1.27.2 or later immediately to address CVE-2026-52870, which embeds opaque per-session markers in task IDs and restricts access to session-specific tasks.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not feasible, ensure that the \u003ccode\u003eserver.experimental.enable_tasks()\u003c/code\u003e feature is disabled in your application configuration.\u003c/li\u003e\n\u003cli\u003eFor applications requiring task handlers, register custom handlers that explicitly validate session ownership for each task request (\u003ccode\u003etasks/list\u003c/code\u003e, \u003ccode\u003etasks/get\u003c/code\u003e, \u003ccode\u003etasks/result\u003c/code\u003e, \u003ccode\u003etasks/cancel\u003c/code\u003e) to prevent unauthorized cross-client access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T19:57:09Z","date_published":"2026-07-16T19:57:09Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mcp-python-sdk-task-handler-vulnerability/","summary":"A high-severity vulnerability (CVE-2026-52870) in the MCP Python SDK's experimental task handlers, specifically in versions 1.23.0 through 1.27.1, allows any connected client to observe, read results from, and cancel tasks belonging to other clients due to a lack of session validation, potentially leading to unauthorized data access and denial of service.","title":"MCP Python SDK Vulnerability Allows Cross-Client Task Access and Cancellation (CVE-2026-52870)","url":"https://feed.craftedsignal.io/briefs/2026-07-mcp-python-sdk-task-handler-vulnerability/"}],"language":"en","title":"CraftedSignal Threat Feed - Mcp","version":"https://jsonfeed.org/version/1.1"}