GitHub Advisory — MCP Go SDK Cross-Site Tool Execution (CVE-2026-33252)
AI relevance: MCP HTTP endpoints are a direct control plane for agent tool calls, so cross-site request flaws can let untrusted web content trigger real tool actions on local/edge agent hosts.
- CVE-2026-33252 affects
github.com/modelcontextprotocol/go-sdkStreamable HTTP transport behavior. - According to the GitHub advisory, affected deployments accepted browser-generated cross-site POST requests without Origin validation.
- The same advisory notes POST handling did not strictly require
Content-Type: application/json, allowingtext/plaincross-site requests to reach MCP message handling in some setups. - Risk is highest where MCP HTTP endpoints are exposed without authorization (especially stateless/sessionless deployments).
- Potential impact is unauthorized tool invocation from a malicious website opened by an operator, not necessarily direct server compromise.
- Upstream fix adds content-type validation plus configurable origin protection in commit
a433a83. - Maintainers advise upgrading to
v1.4.1or newer; release notes indicate this line requires Go 1.25+.
Why it matters
Many teams now run MCP endpoints near developer workstations, automation runners, or internal jump hosts to power coding and ops agents. If a browser tab can issue cross-site MCP tool requests, the practical attack path becomes “visit page → trigger tool,” which collapses the trust boundary between ordinary web browsing and privileged agent actions.
What to do
- Upgrade now: move to
go-sdkv1.4.1+wherever Streamable HTTP is enabled. - Require auth: do not expose MCP HTTP transports without explicit authorization controls.
- Enforce origin policy: enable strict Origin checks and reject unexpected browser origins.
- Network-segment MCP endpoints: bind locally when possible and block broad LAN/WAN reachability.
- Reduce tool blast radius: run MCP servers with least-privilege file/system/cloud permissions.