PT-2026-60301 · Pypi · Mcp Python Sdk
Published
2026-07-15
·
Updated
2026-07-15
·
CVE-2026-59950
CVSS v4.0
7.6
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
mcp versions prior to 1.28.1
Description
The MCP Python SDK, a Python implementation of the Model Context Protocol, contains an issue in the deprecated
mcp.server.websocket.websocket server transport. This component accepts WebSocket handshakes without validating the Host or Origin headers, which prevents the SDK from restricting which origins can connect to applications using this transport.Recommendations
Update to version 1.28.1.
As a temporary mitigation, restrict the use of the
mcp.server.websocket.websocket server transport.Fix
Origin Validation Error
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mcp Python Sdk