PT-2026-60301 · Pypi · Mcp Python Sdk

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-59950

CVSS v4.0

7.6

High

VectorAV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions mcp versions prior to 1.28.1
Description The MCP Python SDK, a Python implementation of the Model Context Protocol, contains an issue in the deprecated mcp.server.websocket.websocket server transport. This component accepts WebSocket handshakes without validating the Host or Origin headers, which prevents the SDK from restricting which origins can connect to applications using this transport.
Recommendations Update to version 1.28.1. As a temporary mitigation, restrict the use of the mcp.server.websocket.websocket server transport.

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59950

Affected Products

Mcp Python Sdk