WebSocket Handshake Vulnerability in MCP Python SDK by Model Context Protocol
CVE-2026-59950
7.6HIGH
What is CVE-2026-59950?
The MCP Python SDK, also known as mcp, is a Python implementation of the Model Context Protocol. Prior to version 1.28.1, the mcp.server.websocket.websocket_server transport did not properly validate Host or Origin headers during WebSocket handshakes. This lack of validation made it possible for unauthorized origins to access applications that expose this transport, potentially leading to security risks. Version 1.28.1 addresses this issue, ensuring enhanced security by implementing origin restrictions.
Affected Version(s)
python-sdk < 1.28.1
