Platform
go
Component
github.com/modelcontextprotocol/go-sdk
Opgelost in
1.4.2
1.4.1
CVE-2026-33252 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the ModelContextProtocol Go SDK. This flaw allows an attacker to craft malicious POST requests from a website, potentially triggering unintended actions or tool execution within a vulnerable system. The vulnerability impacts versions prior to 1.4.1 and is addressed by upgrading to the patched version. The issue stems from inadequate validation of the Origin header in HTTP requests.
The primary impact of CVE-2026-33252 is the potential for unauthorized tool execution. An attacker can leverage a malicious website to send crafted POST requests to a vulnerable ModelContextProtocol Go SDK endpoint. Because the SDK did not properly validate the Origin header, these requests bypass expected security controls. In deployments lacking authorization mechanisms, such as stateless or sessionless configurations, this vulnerability is particularly dangerous. The attacker could potentially trigger actions that compromise data integrity or system availability, depending on the functionality exposed by the SDK and the tools it interacts with. This is similar to other CSRF vulnerabilities where an attacker can trick a user into performing actions they did not intend to.
CVE-2026-33252 was published on 2026-03-19. Severity is currently assessed as HIGH (CVSS 7.1). There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation. Refer to the official ModelContextProtocol advisory for further details.
Exploit Status
EPSS
0.01% (0% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-33252 is to upgrade the ModelContextProtocol Go SDK to version 1.4.1 or later. This version includes the necessary fixes to properly validate the Origin header and prevent unauthorized requests. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy to filter out requests with suspicious Origin headers. Additionally, ensure that all deployments require authentication and authorization for sensitive endpoints to limit the potential impact of this vulnerability. After upgrading, confirm the fix by attempting to send a cross-origin POST request to a vulnerable endpoint and verifying that it is rejected.
Actualiseer de versie van de Go MCP SDK naar versie 1.4.1 of hoger. Dit corrigeert de Cross-Site Request Forgery (CSRF) kwetsbaarheid door de `Origin` header te valideren en `Content-Type: application/json` te vereisen voor HTTP verzoeken.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-33252 is a CSRF vulnerability in the ModelContextProtocol Go SDK affecting versions before 1.4.1. It allows malicious websites to trigger actions via crafted POST requests due to missing Origin header validation, potentially leading to unauthorized tool execution.
You are affected if you are using the ModelContextProtocol Go SDK versions prior to 1.4.1, especially in deployments without authentication or authorization, or those relying solely on CORS.
Upgrade the ModelContextProtocol Go SDK to version 1.4.1 or later. As a temporary workaround, implement a WAF or proxy to filter suspicious Origin headers.
Currently, there are no known public exploits or active campaigns targeting CVE-2026-33252, but the vulnerability remains a potential risk.
Refer to the official ModelContextProtocol advisory for detailed information and updates regarding CVE-2026-33252. (Link to advisory would be placed here if available).
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.