CVE-2026-33252 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the modelcontextprotocol Go SDK (go-sdk) prior to version 1.4.1. The root cause lies in the SDK's Streamable HTTP transport component, which uses Go's standard encoding/json package but fails to validate the Origin header on incoming POST requests. Additionally, it does not enforce that requests have a Content-Type header set to application/json. This combination allows an attacker to craft a malicious website that, when visited by a user, can cause the browser to send unauthorized MCP POST requests to a local server running the vulnerable SDK. In configurations where no authorization mechanism is present—particularly stateless or sessionless deployments—these requests can trigger execution of tools or commands that the MCP server exposes. The vulnerability affects the integrity and availability of the system by enabling unauthorized actions but does not expose confidential data directly. The CVSS v3.1 score is 7.1 (high severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, and impact on integrity and availability. The issue was publicly disclosed on March 23, 2026, and fixed in version 1.4.1 of the go-sdk. No known exploits in the wild have been reported yet. The vulnerability is cataloged under CWE-352, which covers CSRF attacks. Mitigation involves upgrading to the patched version and implementing strict validation of Origin headers and Content-Type enforcement to prevent cross-site requests from unauthorized origins.

This vulnerability can have significant impacts on organizations deploying the affected go-sdk versions, especially those using the SDK in environments without robust authorization controls. Attackers can exploit the CSRF flaw to send unauthorized commands or trigger tool execution on local servers, potentially disrupting services or causing unintended operations. This compromises system integrity and availability, which can lead to operational downtime, loss of trust, and potential cascading failures if the tools executed have broader system privileges. Since the vulnerability requires user interaction (visiting a malicious website), phishing or social engineering campaigns could be used to facilitate exploitation. Organizations with stateless or sessionless MCP deployments are at higher risk because they lack the typical session-based protections against CSRF. Although no direct confidentiality breach is indicated, the ability to execute arbitrary commands can indirectly lead to data exposure or further compromise. The vulnerability affects any organization using the vulnerable SDK versions, particularly those in critical infrastructure, cloud services, or software development environments relying on the modelcontextprotocol go-sdk.

1. Upgrade the modelcontextprotocol go-sdk to version 1.4.1 or later immediately to apply the official patch addressing this vulnerability. 2. Implement strict validation of the Origin and Referer headers on the server side to ensure that only requests from trusted origins are processed. 3. Enforce the Content-Type header to be application/json for all MCP POST requests to prevent acceptance of cross-site form submissions with other content types. 4. Introduce or strengthen authorization mechanisms in MCP deployments, especially avoiding stateless or sessionless configurations without authentication. 5. Employ anti-CSRF tokens or similar mechanisms if the SDK or application allows customization to validate legitimate requests. 6. Monitor network traffic and logs for unusual POST requests to the MCP endpoints, particularly those originating from unexpected sources or with missing/incorrect headers. 7. Educate users about the risks of visiting untrusted websites that could trigger CSRF attacks. 8. Consider network-level controls such as firewall rules to restrict access to MCP services from untrusted networks or browsers. These measures collectively reduce the attack surface and prevent exploitation even if a user visits a malicious site.