CVE-2026-59950

Summary

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to 1.28.1, the deprecated mcp.server.websocket.websocket_server transport accepted WebSocket handshakes without applying Host or Origin header validation, leaving no SDK-level way to restrict which origins could connect to applications that exposed that transport. This issue is fixed in version 1.28.1.

Affected Software

VendorProductVersion RangeStatus
modelcontextprotocolpython-sdk< 1.28.1affected

Weaknesses

  • CWE-346: CWE-346: Origin Validation Error
  • CWE-1385: CWE-1385: Missing Origin Validation in WebSockets

References