Red Hat CVE-2026-33252
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
The Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution.
Impact:
A malicious website may have been able to send cross-site POST requests with Content-Type: text/plain, which due to CORS-safelisted properties would reach the MCP message handling without any CORS preflight barrier.
Fix:
The SDK was modified to perform Content-Type header validation for POST requests and introduced a configurable protection for verifying the origin of the request in commit a433a83. Users are advised to update to v1.4.1 to use this additional protection.
Note: v1.4.1 requires Go 1.25 or later.
Credits:
Thank you to Lê Minh Quân for reporting the issue.
AnalysisAI
The Go SDK's Streamable HTTP transport fails to validate the Origin header and Content-Type on POST requests, allowing attackers to send cross-site requests that bypass CORS protections and trigger MCP tool execution on vulnerable servers without authorization. This affects deployments using stateless or sessionless configurations where an attacker can host a malicious website to send arbitrary MCP requests to a victim's local server. A patch is available that implements Content-Type validation and configurable origin verification.
Technical ContextAI
The vulnerability exists in the Model Context Protocol (MCP) Go SDK, specifically identified through CPE pkg:go/github.com_modelcontextprotocol_go-sdk, where the Streamable HTTP transport implementation fails to validate the Origin header for incoming POST requests and accepts requests with Content-Type: text/plain instead of requiring application/json. This is classified as CWE-352 (Cross-Site Request Forgery), a vulnerability class where web applications fail to verify that requests originate from authorized sources. The flaw is particularly critical in stateless or sessionless configurations where no additional authorization layer exists to prevent unauthorized access.
RemediationAI
Update the Model Context Protocol Go SDK to version 1.4.1 or later, which includes the security fix implemented in commit a433a83 (https://github.com/modelcontextprotocol/go-sdk/commit/a433a831d6e5d5ac3b9e625a8095aa8eaa040dfc). Note that version 1.4.1 requires Go 1.25 or later, so ensure your Go environment meets this requirement before upgrading. As an interim measure, implement proper authorization mechanisms for all MCP endpoints and consider restricting access to the MCP server through network-level controls or reverse proxy configurations that validate request origins.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-89xv-2j6f-qhc8