CVE-2026-59950
MCP Python SDK: WebSocket server transport does not support Host/Origin validation
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to 1.28.1, the deprecated mcp.server.websocket.websocket_server transport accepted WebSocket handshakes without applying Host or Origin header validation, leaving no SDK-level way to restrict which origins could connect to applications that exposed that transport. This issue is fixed in version 1.28.1.
| CWE | CWE-346 CWE-1385 |
| Vendor | modelcontextprotocol |
| Product | python-sdk |
| Published | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for modelcontextprotocol python-sdk
Be the first to know when new unknown vulnerabilities affecting modelcontextprotocol python-sdk are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
modelcontextprotocol / python-sdk
< 1.28.1
References
github.com: https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-vj7q-gjh5-988w github.com: https://github.com/modelcontextprotocol/python-sdk/pull/2992 github.com: https://github.com/modelcontextprotocol/python-sdk/commit/777b8d06710c140e3606b0d4598e2aa48546c266 github.com: https://github.com/modelcontextprotocol/python-sdk/releases/tag/v1.28.1