cvedb.io
CVE-2026-33252
HIGH · CVSS 7.1
EPSS exploitation probability: 0%
Published 2026-03-24T00:16:30.017 · Last modified 2026-06-17T10:37:11.830

Summary

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue.

Affected products

lfprojects — mcp_go_sdk

Does this affect you?

Add your gear to cvedb and we'll alert you only when lfprojects ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.