top of page
perceptive_background_267k.jpg

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` req…

Published:

23 March 2026 at 23:00:00

Alert date:

24 March 2026 at 09:16:39

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

The Go MCP SDK prior to version 1.4.1 had a cross-site request forgery vulnerability in its Streamable HTTP transport. The vulnerability allowed browser-generated cross-site POST requests without proper validation of Origin headers or Content-Type requirements. This affected deployments without authorization, particularly stateless or sessionless configurations, allowing arbitrary websites to send MCP requests to local servers and potentially trigger tool execution. The issue has been patched in version 1.4.1.

Technical details

Mitigation steps:

Affected products:

Go MCP SDK

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-33252
https://github.com/modelcontextprotocol/go-sdk/commit/a433a831d6e5d5ac3b9e625a8095aa8eaa040dfc
https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-89xv-2j6f-qhc8

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page