๐Ÿ” CVE Alert

CVE-2026-59950

UNKNOWN 0.0

MCP Python SDK: WebSocket server transport does not support Host/Origin validation

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to 1.28.1, the deprecated mcp.server.websocket.websocket_server transport accepted WebSocket handshakes without applying Host or Origin header validation, leaving no SDK-level way to restrict which origins could connect to applications that exposed that transport. This issue is fixed in version 1.28.1.

CWE CWE-346 CWE-1385
Vendor modelcontextprotocol
Product python-sdk
Published Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for modelcontextprotocol python-sdk

Be the first to know when new unknown vulnerabilities affecting modelcontextprotocol python-sdk are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

modelcontextprotocol / python-sdk
< 1.28.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-vj7q-gjh5-988w github.com: https://github.com/modelcontextprotocol/python-sdk/pull/2992 github.com: https://github.com/modelcontextprotocol/python-sdk/commit/777b8d06710c140e3606b0d4598e2aa48546c266 github.com: https://github.com/modelcontextprotocol/python-sdk/releases/tag/v1.28.1