Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
Go SDK HTTP Server Allows Arbitrary Post Requests Without Authentication
GHSA-89xv-2j6f-qhc8
CVE-2026-33252
GO-2026-4773
Summary
A security issue was found in a Go library that helps with HTTP communication. If not properly configured, an attacker could send unauthorized requests to a server, potentially triggering unwanted actions. To fix this, update to version 1.4.1 of the library, which adds extra security checks.
What to do
- Update github.com modelcontextprotocol to version 1.4.1.
- Update modelcontextprotocol github.com/modelcontextprotocol/go-sdk to version 1.4.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | modelcontextprotocol | <= 1.4.0 | 1.4.1 |
| modelcontextprotocol | github.com/modelcontextprotocol/go-sdk | <= 1.4.1 | 1.4.1 |
Original title
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin`...
Original description
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue.
ghsa CVSS3.1
7.1
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
Published: 24 Mar 2026 · Updated: 24 Mar 2026 · First seen: 19 Mar 2026