Security advisory: MCP Hangar 1.5.1 requires the CVE-2026-59950 fix
An upstream MCP Python SDK CVE (WebSocket Host/Origin validation) is fixed in mcp 1.28.1. MCP Hangar 1.5.1 raises the required floor so installs pull the patched SDK. Upgrade guidance inside.