CVE-2026-59950: Cross-Site WebSocket Hijacking in Model Context Protocol Python SDK
Vulnerability ID: CVE-2026-59950
CVSS Score: 7.6
Published: 2026-07-16
CVE-2026-59950 is a high-severity security vulnerability in the Model Context Protocol (MCP) Python SDK. Prior to version 1.28.1, the SDK's deprecated WebSocket server transport accepted incoming connection handshakes without performing validation on the Host or Origin headers. Because web browsers do not restrict WebSocket connections using the Same-Origin Policy (SOP), this enables malicious third-party websites to perform a Cross-Site WebSocket Hijacking (CSWSH) attack, executing unauthorized commands on behalf of the local user.
TL;DR
The Model Context Protocol Python SDK failed to validate Origin and Host headers in its deprecated WebSocket server transport. This omission allows malicious websites to hijack connections via the user's browser, permitting unauthorized control of the local MCP server.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-1385
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- CVSS Score: 7.6 (High)
- Exploit Status: PoC Available in Unit Tests
- Impact: High Confidentiality, High Integrity (Loss of local context control)
Affected Systems
- Model Context Protocol (MCP) Python SDK applications exposing WebSocket server transport (mcp.server.websocket.websocket_server)
-
mcp: >= 1.15.0, < 1.28.1 (Fixed in:
1.28.1)
Code Analysis
Commit: 777b8d0
Add opt-in TransportSecuritySettings support to WebSocket server transport
--- a/src/mcp/server/transport_security.py
+++ b/src/mcp/server/transport_security.py
-from starlette.requests import Request
+from starlette.requests import HTTPConnection
...
- async def validate_request(self, request: Request, is_post: bool = False) -> Response | None:
+ async def validate_request(self, request: HTTPConnection, is_post: bool = False) -> Response | None:
--- a/src/mcp/server/websocket.py
+++ b/src/mcp/server/websocket.py
websocket = WebSocket(scope, receive, send)
+
+ security = TransportSecurityMiddleware(security_settings)
+ error_response = await security.validate_request(websocket, is_post=False)
+ if error_response is not None:
+ await websocket.close()
+ raise ValueError("Request validation failed")
+
await websocket.accept(subprotocol="mcp")
Exploit Details
- GitHub Unit Tests: Official integration test suites simulating unauthorized origin connections to confirm successful rejection.
Mitigation Strategies
- Upgrade the mcp PyPI package to version 1.28.1 or later
- Configure TransportSecuritySettings with explicit allowed_origins and allowed_hosts
- Migrate away from the deprecated WebSocket transport to standard stdio or SSE transports
Remediation Steps:
- Identify any active python-sdk deployments utilizing mcp.server.websocket
- Upgrade the mcp package using: pip install --upgrade mcp>=1.28.1
- Instantiate and configure TransportSecuritySettings with your local domain parameters
- Pass the security_settings object into your websocket_server initialization block
- Validate rejection of unauthorized origins by running validation tests
References
- GitHub Security Advisory GHSA-vj7q-gjh5-988w
- Official Patch Commit
- Pull Request #2992
- SDK Release v1.28.1
- NVD Details
Read the full report for CVE-2026-59950 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)