CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-59950

CVE-2026-59950: Cross-Site WebSocket Hijacking in Model Context Protocol Python SDK

Alon Barad
Alon Barad
Software Engineer

Jul 17, 2026·6 min read·5 visits

Executive Summary (TL;DR)

The Model Context Protocol Python SDK failed to validate Origin and Host headers in its deprecated WebSocket server transport. This omission allows malicious websites to hijack connections via the user's browser, permitting unauthorized control of the local MCP server.

CVE-2026-59950 is a high-severity security vulnerability in the Model Context Protocol (MCP) Python SDK. Prior to version 1.28.1, the SDK's deprecated WebSocket server transport accepted incoming connection handshakes without performing validation on the Host or Origin headers. Because web browsers do not restrict WebSocket connections using the Same-Origin Policy (SOP), this enables malicious third-party websites to perform a Cross-Site WebSocket Hijacking (CSWSH) attack, executing unauthorized commands on behalf of the local user.

Vulnerability Overview & Attack Surface

The Model Context Protocol (MCP) Python SDK before version 1.28.1 provides a WebSocket server transport implementation within the mcp.server.websocket module. This transport is built as an Asynchronous Server Gateway Interface (ASGI) application designed to facilitate JSON-RPC communications between Large Language Model (LLM) platforms and external tools. The service operates locally or within internal network perimeters, managing sensitive actions like local file access, command execution, and developer tool integrations.

The attack surface is exposed because the WebSocket protocol does not adhere to the Same-Origin Policy (SOP). While browsers restrict standard cross-origin HTTP requests, they permit cross-origin WebSocket connection handshakes to any address, including localhost. This fundamental browser behavior requires the WebSocket server itself to actively inspect and validate incoming HTTP upgrade headers.

Prior to version 1.28.1, the SDK's WebSocket server transport completed handshakes without performing validation on either the Origin or Host headers. This architectural oversight exposes environments hosting an MCP server to unauthenticated Cross-Site WebSocket Hijacking (CSWSH) and DNS rebinding attacks. An attacker can leverage this exposure to interact with internal models and execute sensitive tool actions.

Root Cause Analysis

The root cause of the vulnerability lies in the implementation of the websocket_server coroutine within src/mcp/server/websocket.py. The transport was designed to handle incoming ASGI connections by immediately instantiating a Starlette-compatible WebSocket interface and executing the connection upgrade sequence.

In the vulnerable implementation, the server calls the websocket.accept() method directly upon receipt of a connection request. It does not perform any structural validation on the headers supplied within the ASGI scope. Under the Starlette ASGI framework, calling accept sends an websocket.accept event back to the server, which completes the HTTP 101 Switching Protocols handshake.

Because the Same-Origin Policy is not enforced by browsers for WebSocket handshakes, any website loaded within the victim's browser can trigger this upgrade handshake. In the absence of an explicit validation step that checks the Origin header against an approved list of origins, the server establishes a persistent, bi-directional communication channel with the third-party client. Additionally, the lack of Host header verification allows attackers to route connections via a malicious domain pointing to 127.0.0.1, bypassing DNS-based restrictions.

Code-Level Analysis and Patch Review

The patch in commit 777b8d06710c140e3606b0d4598e2aa48546c266 resolves the vulnerability by decoupling the transport security validation from Starlette's high-level Request object and integrating it into the low-level ASGI WebSocket lifecycle.

In src/mcp/server/transport_security.py, the TransportSecurityMiddleware was modified to accept HTTPConnection instead of Request. This modification allows the validation engine to parse both standard HTTP requests and ASGI WebSocket connection scopes.

# src/mcp/server/transport_security.py
-from starlette.requests import Request
+from starlette.requests import HTTPConnection
...
-    async def validate_request(self, request: Request, is_post: bool = False) -> Response | None:
+    async def validate_request(self, request: HTTPConnection, is_post: bool = False) -> Response | None:

In src/mcp/server/websocket.py, the websocket_server coroutine was updated to instantiate this middleware and run validations before invoking websocket.accept().

# src/mcp/server/websocket.py
     websocket = WebSocket(scope, receive, send)
+
+    security = TransportSecurityMiddleware(security_settings)
+    error_response = await security.validate_request(websocket, is_post=False)
+    if error_response is not None:
+        # Terminating the socket before accepting triggers a 403 Forbidden
+        await websocket.close()
+        raise ValueError("Request validation failed")
+
     await websocket.accept(subprotocol="mcp")

If validation fails, the server invokes websocket.close() prior to initiating the handshake acceptance. According to the ASGI specification, closing an unaccepted WebSocket connection maps to an HTTP 403 response, preventing the establishment of the session.

Exploitation Methodology & Attack Flow

To execute a Cross-Site WebSocket Hijacking (CSWSH) attack against the vulnerable MCP transport, several prerequisites must be met. The victim must be running an application built on the vulnerable MCP SDK that exposes the websocket_server transport on a predictable local port. Concurrently, the victim must navigate to an attacker-controlled web page in a browser session.

The attack flow is represented in the diagram below:

When the victim loads the malicious page, a client-side JavaScript payload initiates a connection attempt using the standard browser WebSocket API. Since the browser includes the original Origin: http://evil.com header, the server should reject it, but the vulnerable SDK accepts it. Once the connection is open, the attacker can execute arbitrary JSON-RPC methods, such as listing files or executing local tools on behalf of the user.

Impact Assessment & System Exposure

The security impact of CVE-2026-59950 is classified as high, carrying a CVSS v4.0 base score of 7.6. The primary consequences involve a complete loss of confidentiality and integrity of the local environment hosting the MCP server. An attacker operating through a hijacked browser connection can issue arbitrary JSON-RPC command payloads to the server.

Because MCP servers frequently interface directly with local file systems, databases, and development tools, the attacker can exploit active tools to execute host system commands, read sensitive files, or exfiltrate configuration credentials. Since the attack is executed through the victim's browser session, the server processes the commands with the full execution permissions of the local user running the SDK application.

This vulnerability is particularly severe for developers using LLM integrations, as local environments are typically trusted and rarely isolated by application-level authentication. No active exploitation has been reported in the wild, and the vulnerability is not currently listed in the CISA KEV catalog.

Remediation & Defensive Configuration

Remediation requires upgrading the mcp PyPI dependency to version 1.28.1 or higher. However, updating the package alone is insufficient to secure existing applications. Because the newly introduced validation checks are designed as opt-in configurations, developers must explicitly pass a populated TransportSecuritySettings configuration to the server.

To configure origin and host validation, instantiate the security settings with your trusted environments and pass it during transport initialization:

from mcp.server.transport_security import TransportSecuritySettings
from mcp.server.websocket import websocket_server
 
security_settings = TransportSecuritySettings(
    enable_dns_rebinding_protection=True,
    allowed_hosts=["127.0.0.1:*", "localhost:*"],
    allowed_origins=["http://localhost:*", "http://127.0.0.1:*"]
)
 
# Implement in the ASGI application context:
async with websocket_server(
    scope, receive, send, security_settings=security_settings
) as streams:
    ...

Additionally, because the WebSocket server transport in the MCP Python SDK is deprecated and entirely removed in version 2.0, organizations should actively migrate their applications to supported alternatives. Valid alternatives include the standard input/output (stdio) transport or the Streamable HTTP (SSE) transport pattern, both of which are officially maintained.

Official Patches

Model Context ProtocolGitHub Security Advisory GHSA-vj7q-gjh5-988w
Model Context Protocolv1.28.1 Release notes and artifact details

Fix Analysis (1)

Technical Appendix

CVSS Score
7.6/ 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS Probability
0.18%
Top 92% most exploited

Affected Systems

Model Context Protocol (MCP) Python SDK applications exposing WebSocket server transport (mcp.server.websocket.websocket_server)

Affected Versions Detail

Product
Affected Versions
Fixed Version
mcp
Model Context Protocol
>= 1.15.0, < 1.28.11.28.1
AttributeDetail
CWE IDCWE-1385
Attack VectorNetwork (AV:N)
Attack ComplexityLow (AC:L)
CVSS Score7.6 (High)
Exploit StatusPoC Available in Unit Tests
ImpactHigh Confidentiality, High Integrity (Loss of local context control)

MITRE ATT&CK Mapping

T1189Drive-by Compromise
Initial Access
T1203Exploitation for Client Execution
Execution
CWE-1385
Missing Origin Validation in WebSockets

The product fails to properly validate the Origin header during a WebSocket handshake, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks.

Known Exploits & Detection

GitHub Unit TestsOfficial integration test suites simulating unauthorized origin connections to confirm successful rejection.

References & Sources

  • [1]GitHub Security Advisory GHSA-vj7q-gjh5-988w
  • [2]Official Patch Commit
  • [3]Pull Request #2992
  • [4]SDK Release v1.28.1
  • [5]NVD Details

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•40 minutes ago•GHSA-48QW-824M-86PR
7.7

GHSA-48QW-824M-86PR: Privilege Escalation and Sandbox Escape in ArcadeDB Server

A high-severity privilege escalation and sandbox escape vulnerability exists in ArcadeDB Server prior to version 26.7.1. This flaw permits an authenticated user with read-only privileges to execute arbitrary JVM code in a sandboxed JavaScript context via the API command endpoint. By utilizing reflection on bound Java objects, an attacker can bypass the GraalVM guest environment's whitelist, access the Java ClassLoader, and perform arbitrary file reads on the host filesystem.

Alon Barad
Alon Barad
1 views•6 min read
•about 7 hours ago•CVE-2026-56271
9.8

CVE-2026-56271: Authentication Bypass via Hardcoded JWT Secrets in Flowise Enterprise Passport Middleware

CVE-2026-56271 represents a critical security flaw in Flowise, an open-source visual orchestration platform for Large Language Models (LLMs) and autonomous AI agents. The vulnerability occurs within the platform's enterprise passport authentication module, where default cryptographic parameters are used in the absence of explicit environment variables. Specifically, the middleware silently falls back to known, static hardcoded secrets ('auth_token' and 'refresh_token') and identifiers ('AUDIENCE' and 'ISSUER') to generate and verify session tokens. Consequently, remote unauthenticated attackers can construct arbitrary JSON Web Tokens (JWTs) signed with these hardcoded credentials to gain administrative entry to the application.

Alon Barad
Alon Barad
6 views•6 min read
•about 8 hours ago•GHSA-X9F9-R4M8-9XC2
8.4

GHSA-x9f9-r4m8-9xc2: Remote Code Execution via GraalVM Polyglot Sandbox Bypass in ArcadeDB Trigger Scripts

ArcadeDB is an open-source, multi-model database engine supporting graph, document, key-value, and vector models. In affected versions of ArcadeDB, the trigger script executor improperly configures GraalVM scripting engine permissions. By allowing the 'java.lang.*' package to be loaded within the scripting context, the sandbox environment can be bypassed. An authenticated user with schema administration privileges ('UPDATE_SCHEMA') can register a malicious script trigger that executes arbitrary Java host classes, leading to unauthenticated remote command execution under the context of the ArcadeDB server process.

Alon Barad
Alon Barad
5 views•6 min read
•about 8 hours ago•CVE-2026-20744
9.8

CVE-2026-20744: Improper Access Control in Le Circuit Électrique Charging Station Backend

A critical improper access control vulnerability (CWE-284) in the WebSocket upgrade endpoint of Le Circuit Électrique charging station backend allows remote, unauthenticated attackers to connect to the Charging Station Management System and impersonate charging stations.

Alon Barad
Alon Barad
5 views•8 min read
•about 8 hours ago•CVE-2026-55040
9.1

CVE-2026-55040: Microsoft SharePoint Server Security Feature Bypass Vulnerability

CVE-2026-55040 is a critical security feature bypass vulnerability in Microsoft SharePoint Server arising from a weak authentication mechanism (CWE-1390). An unauthenticated remote attacker can exploit this security flaw over a network to bypass authentication validation routines, gaining unauthorized access to the application and complete control over sensitive enterprise data assets without any user interaction.

Amit Schendel
Amit Schendel
13 views•5 min read
•about 11 hours ago•GHSA-VWJC-V7X7-CM6G
8.8

GHSA-VWJC-V7X7-CM6G: Authorization Bypass via SQL-Defined User Functions in ArcadeDB

A critical authorization bypass vulnerability in ArcadeDB allows authenticated, low-privilege users to define and execute arbitrary JavaScript code via standard SQL statements. By circumventing the security checks introduced in GHSA-48qw-824m-86pr, an attacker can leverage the un-sandboxed GraalVM script engine to perform Server-Side Request Forgery (SSRF) and trigger denial-of-service conditions on the host system.

Amit Schendel
Amit Schendel
6 views•6 min read