<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mcp - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/mcp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 20:17:38 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/mcp/feed.xml" rel="self" type="application/rss+xml"/><item><title>MCP Python SDK WebSocket Server Lacks Host/Origin Validation</title><link>https://feed.craftedsignal.io/briefs/2026-07-mcp-websocket-vulnerability/</link><pubDate>Thu, 16 Jul 2026 20:17:38 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-mcp-websocket-vulnerability/</guid><description>A high-severity vulnerability (CVE-2026-59950) in the deprecated `mcp.server.websocket.websocket_server` component of the MCP Python SDK allows malicious webpages to bypass same-origin policy and establish unauthorized WebSocket connections, enabling attackers to invoke server tools and read resources from affected local or LAN-bound MCP servers.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, identified as CVE-2026-59950, exists in versions of the MCP Python SDK prior to 1.28.1. Specifically, the deprecated <code>mcp.server.websocket.websocket_server</code> component, which handles WebSocket server transport, fails to perform <code>Host</code> or <code>Origin</code> header validation during the WebSocket handshake. This oversight allows cross-origin WebSocket upgrade requests, typically blocked by browser same-origin policies, to be accepted by the server without inspection. A developer must have manually wired this deprecated transport into an ASGI application, as it is not part of the standard MCP specification nor reachable through <code>FastMCP</code>. The vulnerability enables a malicious webpage to open an unauthorized WebSocket connection to a reachable MCP server instance, potentially allowing for the enumeration and invocation of server-side tools and the reading of resources, depending on the server's exposed functionalities. This issue primarily affects users running MCP servers bound to localhost or local area network addresses without external authentication or origin validation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A user navigates to a malicious webpage controlled by an attacker.</li>
<li>The malicious webpage, served from any origin, attempts to establish a WebSocket connection to a local or LAN-accessible MCP server running the vulnerable <code>mcp.server.websocket.websocket_server</code> transport on the user's system (e.g., <code>ws://localhost:XXXX/mcp/ws</code>).</li>
<li>The MCP server, due to the lack of <code>Host</code> and <code>Origin</code> header validation in its <code>websocket_server()</code> implementation, accepts the cross-origin WebSocket handshake from the malicious webpage.</li>
<li>A Starlette <code>WebSocket</code> connection is established, and the <code>initialize</code> handshake is completed without requiring any token or prior session.</li>
<li>The malicious webpage sends JSON-RPC requests over the established WebSocket connection to the MCP server.</li>
<li>The MCP server processes these unauthorized JSON-RPC requests, allowing the malicious webpage to invoke server-side tools and read sensitive resources exposed by the server.</li>
<li>The final impact depends on the specific functionalities exposed by the exploited MCP server, potentially leading to information disclosure or arbitrary command execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-59950 can allow a malicious webpage to establish an unauthorized WebSocket connection to a vulnerable MCP server running on the victim's localhost or local area network. If the server is exposed without additional authentication or origin gates, the malicious webpage can enumerate and invoke the server's tools and read its resources. The direct consequences of exploitation are entirely dependent on the specific functionalities and data exposed by the MCP server instance. For instance, if the server exposes sensitive tools or configuration data, an attacker could potentially execute arbitrary commands or exfiltrate confidential information. While some browsers may prompt a user before allowing connections to local network addresses, this user interaction is not a substitute for robust server-side validation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>mcp</code> Python SDK to version 1.28.1 or later to apply the patch for CVE-2026-59950.</li>
<li>Configure <code>TransportSecuritySettings</code> with <code>enable_dns_rebinding_protection=True</code> and appropriate <code>allowed_hosts</code> and <code>allowed_origins</code> when initializing <code>websocket_server()</code> to enable proper Host/Origin header validation.</li>
<li>Migrate off the deprecated <code>websocket_server()</code> transport to <code>Streamable HTTP</code> where <code>FastMCP</code> automatically provides protection for localhost binds.</li>
<li>Ensure that any MCP server instances exposed to networks (even local) are protected by a separate authentication or origin validation layer.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>server-side</category><category>websocket</category><category>python</category><category>supply-chain</category></item><item><title>MCP Python SDK Authentication Bypass Vulnerability (CVE-2026-52869)</title><link>https://feed.craftedsignal.io/briefs/2026-07-mcp-python-sdk-auth-bypass/</link><pubDate>Thu, 16 Jul 2026 19:59:49 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-mcp-python-sdk-auth-bypass/</guid><description>A high-severity authentication bypass vulnerability, CVE-2026-52869, exists in affected versions of the MCP Python SDK's HTTP transports, allowing an attacker who obtains or guesses a session ID to send JSON-RPC messages to an existing session without verifying the authenticated principal, thereby bypassing per-client isolation and potentially injecting messages.</description><content:encoded><![CDATA[<p>A significant authentication bypass vulnerability, identified as CVE-2026-52869, has been discovered in the MCP Python SDK versions up to 1.27.1. This flaw specifically impacts application servers using either the SSE (<code>mcp.server.sse.SseServerTransport</code>) or Streamable HTTP (<code>mcp.server.streamable_http_manager.StreamableHTTPSessionManager</code>) transports in stateful mode, particularly when authentication is configured. The vulnerability stems from the transports routing incoming requests to an existing session based solely on the session identifier (a query parameter or header), without validating that the request originates from the same authenticated principal who initially created the session. This oversight allows an attacker who can acquire or guess a session ID to inject unauthorized JSON-RPC messages into an active session, effectively bypassing the per-client isolation intended by authentication. The SSE transport has been affected since its initial release, while the Streamable HTTP transport became vulnerable in version 1.8.0.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Reconnaissance</strong>: The attacker identifies a target application server utilizing the MCP Python SDK with HTTP transports (SSE or Streamable HTTP) and configured authentication.</li>
<li><strong>Session ID Acquisition</strong>: The attacker obtains an active session ID for a legitimate user through out-of-band means such as sniffing network traffic, log compromise, or brute-forcing (session IDs are UUIDs, making brute-force difficult but not impossible).</li>
<li><strong>Crafting Malicious Request</strong>: The attacker crafts a request containing malicious JSON-RPC messages, including the obtained legitimate <code>session_id</code> (for SSE) or <code>Mcp-Session-Id</code> header (for Streamable HTTP).</li>
<li><strong>Authentication Bypass</strong>: The attacker sends the malicious request to the vulnerable server. The server routes the request to the target session solely based on the session ID, bypassing principal authentication checks.</li>
<li><strong>Message Injection</strong>: The server processes the attacker's JSON-RPC messages within the context of the legitimate user's session, despite the request carrying a different or invalid bearer token.</li>
<li><strong>Impact on Session</strong>: The injected messages can alter the session state, perform unauthorized actions, or exfiltrate sensitive information, depending on the application's functionality.</li>
<li><strong>Response Delivery</strong>: For SSE, the response to the injected message is delivered to the original legitimate client's event stream. For Streamable HTTP, the injecting client receives the response directly.</li>
<li><strong>Achieve Objective</strong>: The attacker successfully compromises session integrity, leading to unauthorized data manipulation or access, bypassing the intended per-client isolation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>If successfully exploited, CVE-2026-52869 allows an attacker to bypass critical per-client isolation mechanisms provided by authentication in application servers using the MCP Python SDK's HTTP transports. This means that an attacker, upon obtaining a valid session ID, can inject arbitrary JSON-RPC messages into another user's active session. The direct consequence is unauthorized access and potential manipulation of session-dependent data or functionality. While session IDs are randomly generated UUIDs, making blind guessing difficult, any out-of-band leakage (e.g., via logs, network observation, or cross-site scripting) would enable exploitation. The impact could range from data corruption or unauthorized information disclosure to complete account compromise, depending on the privileges associated with the compromised session and the capabilities of the JSON-RPC interface.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>pip/mcp</code> package to version 1.27.2 or later immediately to address CVE-2026-52869.</li>
<li>Ensure that, for deployments where many end users share a single OAuth client, the token verifier populates <code>AccessToken.subject</code> (e.g., from the token's <code>sub</code> claim) to enforce per-user session isolation.</li>
<li>Review custom authentication backends, if used, to ensure they enforce equivalent principal verification checks as introduced in MCP Python SDK 1.27.2.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>authentication-bypass</category><category>python</category><category>sdk</category><category>web-application</category></item><item><title>MCP Python SDK Vulnerability Allows Cross-Client Task Access and Cancellation (CVE-2026-52870)</title><link>https://feed.craftedsignal.io/briefs/2026-07-mcp-python-sdk-task-handler-vulnerability/</link><pubDate>Thu, 16 Jul 2026 19:57:09 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-mcp-python-sdk-task-handler-vulnerability/</guid><description>A high-severity vulnerability (CVE-2026-52870) in the MCP Python SDK's experimental task handlers, specifically in versions 1.23.0 through 1.27.1, allows any connected client to observe, read results from, and cancel tasks belonging to other clients due to a lack of session validation, potentially leading to unauthorized data access and denial of service.</description><content:encoded><![CDATA[<p>A significant vulnerability, tracked as CVE-2026-52870, has been identified in the experimental tasks feature of the MCP Python SDK, affecting versions 1.23.0 through 1.27.1. When developers explicitly enable this feature by calling <code>server.experimental.enable_tasks()</code>, the default request handlers for tasks (<code>tasks/list</code>, <code>tasks/get</code>, <code>tasks/result</code>, <code>tasks/cancel</code>) fail to validate which client session created a specific task. This critical oversight allows any client connected to the server to enumerate, access, retrieve results from, and cancel tasks initiated by other clients. The impact includes unauthorized disclosure of task results and elicitation payloads, interception of messages intended for other clients, and potential denial of service by prematurely terminating ongoing tasks. This flaw presents a serious risk to multi-client applications utilizing the experimental task management functionality, enabling malicious clients to disrupt operations and exfiltrate sensitive data.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker establishes a connection to a server running the vulnerable MCP Python SDK application with <code>server.experimental.enable_tasks()</code> enabled, posing as a legitimate client.</li>
<li>The attacker sends a <code>tasks/list</code> request to the server, which, due to the vulnerability, returns a list of all active tasks across all connected client sessions.</li>
<li>Using the task identifiers obtained from the <code>tasks/list</code> response, the attacker sends <code>tasks/get</code> and <code>tasks/result</code> requests to retrieve the status and outcomes of tasks belonging to other clients.</li>
<li>The attacker may also retrieve queued task messages, such as elicitation requests, intended for other clients, effectively consuming messages and preventing the legitimate recipient from receiving them.</li>
<li>The attacker can then analyze the sensitive data contained within these task results or messages.</li>
<li>As a final step, the attacker sends <code>tasks/cancel</code> requests for tasks identified in previous steps, terminating legitimate operations initiated by other clients, leading to a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Servers utilizing the affected MCP Python SDK versions (1.23.0 to 1.27.1) with the experimental tasks feature enabled are at risk. This vulnerability allows for unauthorized access to sensitive task results and elicitation payloads belonging to other clients, compromising data confidentiality. Furthermore, attackers can intercept messages meant for legitimate clients and disrupt service by canceling tasks, leading to operational downtime or data inconsistencies. The direct consequences could range from competitive intelligence gathering to sabotage of critical business processes, particularly in environments where multiple clients interact with shared server resources. The number of directly affected organizations depends on the adoption rate of this specific experimental and opt-in feature.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the MCP Python SDK to version 1.27.2 or later immediately to address CVE-2026-52870, which embeds opaque per-session markers in task IDs and restricts access to session-specific tasks.</li>
<li>If immediate upgrade is not feasible, ensure that the <code>server.experimental.enable_tasks()</code> feature is disabled in your application configuration.</li>
<li>For applications requiring task handlers, register custom handlers that explicitly validate session ownership for each task request (<code>tasks/list</code>, <code>tasks/get</code>, <code>tasks/result</code>, <code>tasks/cancel</code>) to prevent unauthorized cross-client access.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>vulnerability</category><category>server-side-request-forgery</category><category>data-exfiltration</category><category>denial-of-service</category></item></channel></rss>