DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-59950: CVE-2026-59950: Cross-Site WebSocket Hijacking in Model Context Protocol Python SDK

CVE-2026-59950: Cross-Site WebSocket Hijacking in Model Context Protocol Python SDK

Vulnerability ID: CVE-2026-59950
CVSS Score: 7.6
Published: 2026-07-16

CVE-2026-59950 is a high-severity security vulnerability in the Model Context Protocol (MCP) Python SDK. Prior to version 1.28.1, the SDK's deprecated WebSocket server transport accepted incoming connection handshakes without performing validation on the Host or Origin headers. Because web browsers do not restrict WebSocket connections using the Same-Origin Policy (SOP), this enables malicious third-party websites to perform a Cross-Site WebSocket Hijacking (CSWSH) attack, executing unauthorized commands on behalf of the local user.

TL;DR

The Model Context Protocol Python SDK failed to validate Origin and Host headers in its deprecated WebSocket server transport. This omission allows malicious websites to hijack connections via the user's browser, permitting unauthorized control of the local MCP server.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1385
  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • CVSS Score: 7.6 (High)
  • Exploit Status: PoC Available in Unit Tests
  • Impact: High Confidentiality, High Integrity (Loss of local context control)

Affected Systems

  • Model Context Protocol (MCP) Python SDK applications exposing WebSocket server transport (mcp.server.websocket.websocket_server)
  • mcp: >= 1.15.0, < 1.28.1 (Fixed in: 1.28.1)

Code Analysis

Commit: 777b8d0

Add opt-in TransportSecuritySettings support to WebSocket server transport

--- a/src/mcp/server/transport_security.py
+++ b/src/mcp/server/transport_security.py
-from starlette.requests import Request
+from starlette.requests import HTTPConnection
...
-    async def validate_request(self, request: Request, is_post: bool = False) -> Response | None:
+    async def validate_request(self, request: HTTPConnection, is_post: bool = False) -> Response | None:
--- a/src/mcp/server/websocket.py
+++ b/src/mcp/server/websocket.py
     websocket = WebSocket(scope, receive, send)
+
+    security = TransportSecurityMiddleware(security_settings)
+    error_response = await security.validate_request(websocket, is_post=False)
+    if error_response is not None:
+        await websocket.close()
+        raise ValueError("Request validation failed")
+
     await websocket.accept(subprotocol="mcp")
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Unit Tests: Official integration test suites simulating unauthorized origin connections to confirm successful rejection.

Mitigation Strategies

  • Upgrade the mcp PyPI package to version 1.28.1 or later
  • Configure TransportSecuritySettings with explicit allowed_origins and allowed_hosts
  • Migrate away from the deprecated WebSocket transport to standard stdio or SSE transports

Remediation Steps:

  1. Identify any active python-sdk deployments utilizing mcp.server.websocket
  2. Upgrade the mcp package using: pip install --upgrade mcp>=1.28.1
  3. Instantiate and configure TransportSecuritySettings with your local domain parameters
  4. Pass the security_settings object into your websocket_server initialization block
  5. Validate rejection of unauthorized origins by running validation tests

References


Read the full report for CVE-2026-59950 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)