CVE-2026-33252

High

Published: 24 March 2026

Published

24 March 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

EPSS Score 0.0001 0.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33252 is a high-severity CSRF (CWE-352) vulnerability in Lfprojects Mcp Go Sdk. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the CSRF vulnerability by requiring upgrade of the Go MCP SDK to version 1.4.1, which patches the lack of Origin header validation and Content-Type enforcement.

SI-10 Information Input Validation good match

prevent

Enforces validation of HTTP input headers such as Origin and Content-Type to block browser-generated cross-site POST requests to the MCP server.

SC-23 Session Authenticity good match

prevent

Protects session authenticity against CSRF by implementing mechanisms like Origin validation or anti-CSRF tokens for Streamable HTTP transport requests.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

Why these techniques?

CSRF in network-accessible MCP HTTP transport is triggered by victim visiting attacker-controlled site (T1189/T1204.001) and directly enables unauthorized tool execution against the server (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Authorization, especially stateless or…

sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue.

Deeper analysisAI

CVE-2026-33252 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting the Go MCP SDK prior to version 1.4.1. The issue resides in the SDK's Streamable HTTP transport, which relies on Go's standard encoding/json package and accepts browser-generated cross-site POST requests without validating the Origin header or requiring a Content-Type of application/json. This flaw has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L), indicating high integrity impact with low availability impact and requiring user interaction.

An attacker can exploit this vulnerability by tricking a victim into visiting a malicious website, which then issues cross-site POST requests to the target's network-accessible MCP server. Exploitation is feasible in deployments lacking authorization, particularly stateless or sessionless configurations, allowing the attacker's site to send arbitrary MCP requests to a local server on the victim's network. Successful exploitation enables the attacker to trigger tool execution on the server, compromising integrity and potentially causing limited availability disruption, though no privileges or authentication are required on the attacker's part.

The Go MCP SDK version 1.4.1 patches this issue, as detailed in the project's security advisory (GHSA-89xv-2j6f-qhc8) and the corresponding commit (a433a831d6e5d5ac3b9e625a8095aa8eaa040dfc). Security practitioners should upgrade to at least version 1.4.1 and review deployments for missing authorization controls to mitigate exposure.

Details

CWE(s): CWE-352

Affected Products

lfprojects

mcp go sdk

≤ 1.4.1

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: mcp, mcp

CVEs Like This One

CVE-2026-27896Same product: Lfprojects Mcp Go Sdk

CVE-2026-34742Same product: Lfprojects Mcp Go Sdk

CVE-2025-1473Same vendor: Lfprojects

CVE-2026-25536Same vendor: Lfprojects

CVE-2025-15031Same vendor: Lfprojects

CVE-2025-11201Same vendor: Lfprojects

CVE-2025-11200Same vendor: Lfprojects

CVE-2025-67733Same vendor: Lfprojects

CVE-2026-0545Same vendor: Lfprojects

CVE-2026-21863Same vendor: Lfprojects

References

https://github.com/modelcontextprotocol/go-sdk/commit/a433a831d6e5d5ac3b9e625a8095aa8eaa040dfc
Patch · security-advisories@github.com
https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-89xv-2j6f-qhc8
Patch, Vendor Advisory · security-advisories@github.com