CVE-2026-59950

Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
15/07/2026
Last modified:
17/07/2026

Description

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to 1.28.1, the deprecated mcp.server.websocket.websocket_server transport accepted WebSocket handshakes without applying Host or Origin header validation, leaving no SDK-level way to restrict which origins could connect to applications that exposed that transport. This issue is fixed in version 1.28.1.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:lfprojects:mcp_python_sdk:*:*:*:*:*:*:*:* 1.28.1 (excluding)