VYPR
High severity7.1NVD Advisory· Published Mar 24, 2026· Updated Apr 15, 2026

CVE-2026-33252

CVE-2026-33252

Description

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/modelcontextprotocol/go-sdkGo
< 1.4.11.4.1

Affected products

38

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.