chore(deps): update dependency mcp to v1.28.1 [security]#6457
Merged
Conversation
Generated by renovateBot
davidzhao
approved these changes
Jul 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.27.2→1.28.1MCP Python SDK: WebSocket server transport does not support Host/Origin validation
CVE-2026-59950 / GHSA-vj7q-gjh5-988w
More information
Details
Summary
In affected versions, the deprecated WebSocket server transport (
mcp.server.websocket.websocket_server) accepted the WebSocket handshake without applying anyHostorOriginheader validation. TheTransportSecuritySettingsmechanism that the SSE and Streamable HTTP transports use for this purpose was not wired into the WebSocket transport, so there was no SDK-level way to restrict which origins could connect.Am I affected?
Only if a developer's application server exposes
mcp.server.websocket.websocket_server. This transport has never been part of the MCP specification, is marked deprecated, and is not reachable throughFastMCP— a developer must have wired it into an ASGI application themselves. Servers using stdio, SSE, or Streamable HTTP are not affected by this advisory.Details
websocket_server()constructed a StarletteWebSocketand calledaccept(subprotocol="mcp")immediately, with no inspection of the connection's headers. By contrast,SseServerTransportandStreamableHTTPServerTransportaccept an optionalsecurity_settings: TransportSecuritySettingsand runTransportSecurityMiddleware.validate_request()against the incomingHostandOriginheaders before establishing a session. Because browsers attach anOriginheader to cross-origin WebSocket upgrade requests but do not enforce a same-origin policy on the response, a web page served from any origin could open a WebSocket to a reachable MCP server on this transport, complete theinitializehandshake, and issue JSON-RPC requests on the resulting session.Impact
A user who runs an MCP server on this transport bound to localhost or a LAN address, without a separate authentication or origin gate in front of it, and visits a malicious web page, can have that page enumerate and invoke the server's tools and read its resources. The consequences depend entirely on what the server exposes. The transport itself requires no token or prior session. Some browsers prompt before allowing a public page to open a connection to a local-network address, which adds a user-interaction step but is not a substitute for server-side validation.
Mitigation
Upgrade to version 1.28.1 or later, in which
websocket_server()accepts the same optionalsecurity_settings: TransportSecuritySettingsargument as the other HTTP-based transports and validates theHostandOriginheaders before accepting the handshake; a request that fails validation is rejected with HTTP 403 andValueError("Request validation failed")is raised to the caller. As with the other transports the parameter defaults toNone, which leaves validation disabled, so upgrading alone does not change behaviour: pass aTransportSecuritySettingswithenable_dns_rebinding_protection=Trueand appropriateallowed_hosts/allowed_originsto receive the protection. The recommended path remains to migrate off this deprecated transport to Streamable HTTP, whereFastMCPenables this protection automatically for localhost binds. The WebSocket transport has been removed entirely in v2.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
modelcontextprotocol/python-sdk (mcp)
v1.28.1Compare Source
What's Changed
Full Changelog: modelcontextprotocol/python-sdk@v1.28.0...v1.28.1
v1.28.0Compare Source
Deprecations
Two API surfaces now emit
DeprecationWarningahead of their removal in v2. Nothing is removed in 1.x, and the warnings fire only when the deprecated API is called - importing the modules stays silent.mcp.client.websocket.websocket_clientandmcp.server.websocket.websocket_server. WebSocket was never part of the MCP specification; use the streamable HTTP transport instead. The TypeScript SDK has likewise removed its WebSocket client for v2 (modelcontextprotocol/typescript-sdk#1783).ClientSession.experimental,Server.experimental,ServerSession.experimental, and theexperimental_task_handlers=kwarg onClientSession. Tasks (SEP-1686) were removed from the MCP specification and are expected to return as a separate MCP extension.If your test suite runs with
filterwarnings = ["error"]and exercises these paths, add a scoped ignore such asignore:The experimental tasks API is deprecated:DeprecationWarningorignore:The WebSocket .* transport is deprecated:DeprecationWarning.See #2828 for full details.
What's Changed
New Contributors
Full Changelog: modelcontextprotocol/python-sdk@v1.27.2...v1.28.0
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.