2026-03-23 23:44:16
GitHub_M
PUBLISHED
The Go MCP SDK used Gos standard encoding/json. Prior to version 1.4.1, the Go SDKs Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue.