DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-52869: CVE-2026-52869: Session Hijacking and Authorization Bypass in Model Context Protocol (MCP) Python SDK

CVE-2026-52869: Session Hijacking and Authorization Bypass in Model Context Protocol (MCP) Python SDK

Vulnerability ID: CVE-2026-52869
CVSS Score: 7.1
Published: 2026-07-16

An authorization bypass vulnerability exists in the Model Context Protocol (MCP) Python SDK prior to version 1.27.2. The Server-Sent Events (SSE) and stateful Streamable HTTP transports route incoming JSON-RPC requests based purely on user-controlled session identifiers without validating ownership, enabling authenticated attackers to inject commands into other sessions.

TL;DR

The MCP Python SDK failed to bind active session identifiers to authenticated client principals, allowing any bearer-token-authenticated user to hijack and inject JSON-RPC messages into another client's session by supplying their session ID.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-639
  • Attack Vector: Network
  • CVSS Score: 7.1 (High)
  • Exploit Status: poc
  • Impact: Authorization Bypass, Hijacking
  • KEV Status: Not Listed

Affected Systems

  • Model Context Protocol (MCP) Python SDK (mcp PyPI package)
  • mcp (PyPI): < 1.27.2 (Fixed in: 1.27.2)

Code Analysis

Commit: 1abcca2

Propagate token subject and claims mapping inside the AccessToken schema

Commit: ce267b6

Enforce transport session verification against client authentication context

Exploit Details

  • GitHub Test Suite Integration: Replication test logic contained in tests/server/test_sse_security.py validating transport security validation logic

Mitigation Strategies

  • Upgrade Python mcp SDK to 1.27.2 or higher.
  • Configure custom authentication middleware to populate subject, client_id, and issuer claims.
  • Restrict trace and network logs to prevent exposure of active session UUIDs.

Remediation Steps:

  1. Verify current package version via 'pip show mcp'.
  2. Execute 'pip install --upgrade mcp' to pull down 1.27.2+.
  3. Audit custom Starlette middleware implementations for compatibility with AuthenticatedUser constructs.
  4. Ensure experimental task management APIs use session-scoped generated IDs instead of global static task IDs.

References


Read the full report for CVE-2026-52869 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)