{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33252", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.510Z", "datePublished": "2026-03-23T23:44:16.106Z", "dateUpdated": "2026-03-24T18:39:50.841Z"}, "containers": {"cna": {"title": "MCP Go SDK Allows Cross-Site Tool Execution for HTTP Servers without Authorizatrion", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-89xv-2j6f-qhc8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-89xv-2j6f-qhc8"}, {"name": "https://github.com/modelcontextprotocol/go-sdk/commit/a433a831d6e5d5ac3b9e625a8095aa8eaa040dfc", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/go-sdk/commit/a433a831d6e5d5ac3b9e625a8095aa8eaa040dfc"}], "affected": [{"vendor": "modelcontextprotocol", "product": "go-sdk", "versions": [{"version": "< 1.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:44:16.106Z"}, "descriptions": [{"lang": "en", "value": "The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue."}], "source": {"advisory": "GHSA-89xv-2j6f-qhc8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:39:44.408986Z", "id": "CVE-2026-33252", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:39:50.841Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33252", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:39:44.408986Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:39:48.017Z"}}], "cna": {"title": "MCP Go SDK Allows Cross-Site Tool Execution for HTTP Servers without Authorizatrion", "source": {"advisory": "GHSA-89xv-2j6f-qhc8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "modelcontextprotocol", "product": "go-sdk", "versions": [{"status": "affected", "version": "< 1.4.1"}]}], "references": [{"url": "https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-89xv-2j6f-qhc8", "name": "https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-89xv-2j6f-qhc8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/modelcontextprotocol/go-sdk/commit/a433a831d6e5d5ac3b9e625a8095aa8eaa040dfc", "name": "https://github.com/modelcontextprotocol/go-sdk/commit/a433a831d6e5d5ac3b9e625a8095aa8eaa040dfc", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:44:16.106Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33252", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:39:50.841Z", "dateReserved": "2026-03-18T02:42:27.510Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T23:44:16.106Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:mcp_go_sdk:*:*:*:*:*:*:*:*", "matchCriteriaId": "523AC61E-4F6E-4475-9CBE-F956F19ACA2A", "versionEndExcluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue."}, {"lang": "es", "value": "El SDK de Go MCP utilizaba el encoding/json est\u00e1ndar de Go. Antes de la versi\u00f3n 1.4.1, el transporte HTTP Streamable del SDK de Go aceptaba solicitudes 'POST' de sitio cruzado generadas por el navegador sin validar el encabezado 'Origin' y sin requerir 'Content-Type: application/json'. En implementaciones sin autorizaci\u00f3n, especialmente configuraciones sin estado o sin sesi\u00f3n, esto permite a un sitio web arbitrario enviar solicitudes MCP a un servidor local y potencialmente activar la ejecuci\u00f3n de herramientas. La versi\u00f3n 1.4.1 contiene un parche para el problema."}], "id": "CVE-2026-33252", "lastModified": "2026-04-15T16:33:12.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-24T00:16:30.017", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/modelcontextprotocol/go-sdk/commit/a433a831d6e5d5ac3b9e625a8095aa8eaa040dfc"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-89xv-2j6f-qhc8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "encoding/json: golang: github.com/modelcontextprotocol/go-sdk: Go MCP SDK: Remote tool execution via cross-site request forgery", "id": "2450542", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450542"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L", "status": "draft"}, "cwe": "CWE-940", "details": ["A flaw was found in the Go MCP SDK's Streamable HTTP transport, which uses Go's standard `encoding/json` package. In deployments without authorization, a remote attacker can exploit this Cross-Site Request Forgery (CSRF) vulnerability. By sending browser-generated cross-site `POST` requests to a local server without proper validation of the `Origin` header or `Content-Type`, an attacker can potentially trigger unauthorized tool execution."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, ensure that deployments utilizing the Go MCP SDK are configured with proper authorization mechanisms. This prevents unauthorized cross-site requests from triggering tool execution. Additionally, restrict network access to the local server running the SDK to trusted sources only, using firewall rules to limit exposure."}, "name": "CVE-2026-33252", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-cli-download-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "mtv-candidate/mtv-api-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "mtv-candidate/mtv-cli-download-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "mtv-candidate/mtv-controller-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "mtv-candidate/mtv-operator-bundle", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "openshift-lightspeed/openshift-mcp-server-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-client-kn-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-plugin-func-func-util-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-clients", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/udi-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-03-23T23:44:16Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33252\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33252\nhttps://github.com/modelcontextprotocol/go-sdk/commit/a433a831d6e5d5ac3b9e625a8095aa8eaa040dfc\nhttps://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-89xv-2j6f-qhc8"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "go-sdk", "source": "cna", "vendor": "modelcontextprotocol"}, "product": "go-sdk", "vendor": "modelcontextprotocol"}], "analysis": {"en": {"generated_at": "2026-03-24T13:41:16.637515+00:00", "value": {"mitigation_remediation": ["Upgrade the Modelcontextprotocol Go SDK to version\u202f1.4.1 or later to apply the vendor patch.", "If upgrading is not immediately possible, enforce authentication on the MCP streamable HTTP transport or restrict requests to known origins by configuring server CORS settings.", "Validate that incoming requests include a Content\u2011Type header of application/json and check the Origin header before processing.", "Confirm that HTTP endpoints exposed by the SDK are not publicly accessible or are protected by firewall rules.", "Continuously monitor hosts running older SDK versions for signs of unauthorized requests or tool execution."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected systems are those using the Modelcontextprotocol Go SDK product, modelcontextprotocol:go-sdk. The vulnerability exists in all versions prior to 1.4.1. Servers running any of those earlier releases in a configuration that does not enforce authorization for the HTTP endpoints are susceptible. The issue applies to any environment that hosts the SDK\u2019s streamable transport and is reachable from a web browser, regardless of operating system.", "description_and_impact": "The Go MCP SDK relied on Go's standard encoding/json library and its Streamable HTTP transport accepted browser\u2011generated cross\u2011site POST requests without validating the Origin header or requiring a Content\u2011Type of application/json. When deployed without authorization\u2014especially in stateless or sessionless configurations\u2014an attacker can host a malicious web page that submits MCP requests to a local server and can cause tools defined by the SDK to execute. This allows an attacker to run arbitrary commands on the host, representing a remote code execution flaw rooted in missing origin validation and improper input handling (CWE\u2011352 and CWE\u2011940).", "risk_and_exploitability": "The CVSS base score of 7.1 indicates a high severity, and although the EPSS score is not available, the lack of a KEV listing does not diminish the potential danger. Attackers can exploit the flaw by simply loading a malicious page that triggers cross\u2011site POSTs to the vulnerable endpoint; no special credentials or privileged access are required. Because the server trusts the request without validating the origin, the attack is likely to succeed against users who already have network connectivity to the target server. The risk rises in environments where the SDK is exposed to the internet or to untrusted internal networks."}}}}, "created": "2026-03-24T10:29:46.075293+00:00", "updated": "2026-03-25T21:27:52.936020+00:00", "vendors": ["modelcontextprotocol", "modelcontextprotocol$PRODUCT$go-sdk"]}