CVE-2026-33252 (CVSS 7.1) is a CSRF vulnerability in the Go MCP SDK prior to v1.4.1, where the Streamable HTTP transport failed to validate the Origin header and Content-Type on incoming POST requests, allowing attacker-controlled web pages to forge unauthorized MCP tool calls against locally running servers — potentially triggering file system access, code execution, or data exfiltration depending on registered tools. Exploitation is most viable in developer tooling and local AI assistant integrations lacking Authorization headers. Actions: upgrade the Go MCP SDK to v1.4.1 via go get, audit go.mod across all repositories for affected versions, and establish Origin header validation as a baseline policy for all HTTP-based AI tool integrations.