CVE-2026-33252
MEDIUM EPSS 7.5%
Published Mar 24, 20263mo ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Published Mar 24, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago
Description
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability None
Threat Intelligence
EPSS Exploit Probability
7.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-352 Cross-Site Request Forgery (CSRF) Authentication
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| lfprojects | mcp_go_sdk | * | <1.4.1 |
References 2
- github.com https://github.com/modelcontextprotocol/go-sdk/commit/a433a831d6e5d5ac3b9e625a8095aa8eaa040dfc
- github.com https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-89xv-2j6f-qhc8
Remediation
- github.com https://github.com/modelcontextprotocol/go-sdk/commit/a433a831d6e5d5ac3b9e625a8095aa8eaa040dfc
- github.com https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-89xv-2j6f-qhc8