Description
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue.
Published: 2026-03-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Go MCP SDK relied on Go's standard encoding/json library and its Streamable HTTP transport accepted browser‑generated cross‑site POST requests without validating the Origin header or requiring a Content‑Type of application/json. When deployed without authorization—especially in stateless or sessionless configurations—an attacker can host a malicious web page that submits MCP requests to a local server and can cause tools defined by the SDK to execute. This allows an attacker to run arbitrary commands on the host, representing a remote code execution flaw rooted in missing origin validation and improper input handling (CWE‑352 and CWE‑940).

Affected Systems

Affected systems are those using the Modelcontextprotocol Go SDK product, modelcontextprotocol:go-sdk. The vulnerability exists in all versions prior to 1.4.1. Servers running any of those earlier releases in a configuration that does not enforce authorization for the HTTP endpoints are susceptible. The issue applies to any environment that hosts the SDK’s streamable transport and is reachable from a web browser, regardless of operating system.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity, and although the EPSS score is not available, the lack of a KEV listing does not diminish the potential danger. Attackers can exploit the flaw by simply loading a malicious page that triggers cross‑site POSTs to the vulnerable endpoint; no special credentials or privileged access are required. Because the server trusts the request without validating the origin, the attack is likely to succeed against users who already have network connectivity to the target server. The risk rises in environments where the SDK is exposed to the internet or to untrusted internal networks.

Generated by OpenCVE AI on March 24, 2026 at 13:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Modelcontextprotocol Go SDK to version 1.4.1 or later to apply the vendor patch.
  • If upgrading is not immediately possible, enforce authentication on the MCP streamable HTTP transport or restrict requests to known origins by configuring server CORS settings.
  • Validate that incoming requests include a Content‑Type header of application/json and check the Origin header before processing.
  • Confirm that HTTP endpoints exposed by the SDK are not publicly accessible or are protected by firewall rules.
  • Continuously monitor hosts running older SDK versions for signs of unauthorized requests or tool execution.

Generated by OpenCVE AI on March 24, 2026 at 13:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-89xv-2j6f-qhc8 Cross-Site Tool Execution for HTTP Servers without Authorizatrion in github.com/modelcontextprotocol/go-sdk
History

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-940
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Modelcontextprotocol
Modelcontextprotocol go-sdk
Vendors & Products Modelcontextprotocol
Modelcontextprotocol go-sdk

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue.
Title MCP Go SDK Allows Cross-Site Tool Execution for HTTP Servers without Authorizatrion
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L'}

Subscriptions

Modelcontextprotocol Go-sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:39:50.841Z

Reserved: 2026-03-18T02:42:27.510Z

Link: CVE-2026-33252

cve-icon Vulnrichment

Updated: 2026-03-24T18:39:48.017Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T00:16:30.017

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-33252

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-23T23:44:16Z

Links: CVE-2026-33252 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:27:52Z

Weaknesses