CVE-2026-52869: Session Hijacking and Authorization Bypass in Model Context Protocol (MCP) Python SDK
Vulnerability ID: CVE-2026-52869
CVSS Score: 7.1
Published: 2026-07-16
An authorization bypass vulnerability exists in the Model Context Protocol (MCP) Python SDK prior to version 1.27.2. The Server-Sent Events (SSE) and stateful Streamable HTTP transports route incoming JSON-RPC requests based purely on user-controlled session identifiers without validating ownership, enabling authenticated attackers to inject commands into other sessions.
TL;DR
The MCP Python SDK failed to bind active session identifiers to authenticated client principals, allowing any bearer-token-authenticated user to hijack and inject JSON-RPC messages into another client's session by supplying their session ID.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-639
- Attack Vector: Network
- CVSS Score: 7.1 (High)
- Exploit Status: poc
- Impact: Authorization Bypass, Hijacking
- KEV Status: Not Listed
Affected Systems
- Model Context Protocol (MCP) Python SDK (mcp PyPI package)
-
mcp (PyPI): < 1.27.2 (Fixed in:
1.27.2)
Code Analysis
Commit: 1abcca2
Propagate token subject and claims mapping inside the AccessToken schema
Commit: ce267b6
Enforce transport session verification against client authentication context
Exploit Details
- GitHub Test Suite Integration: Replication test logic contained in tests/server/test_sse_security.py validating transport security validation logic
Mitigation Strategies
- Upgrade Python mcp SDK to 1.27.2 or higher.
- Configure custom authentication middleware to populate subject, client_id, and issuer claims.
- Restrict trace and network logs to prevent exposure of active session UUIDs.
Remediation Steps:
- Verify current package version via 'pip show mcp'.
- Execute 'pip install --upgrade mcp' to pull down 1.27.2+.
- Audit custom Starlette middleware implementations for compatibility with AuthenticatedUser constructs.
- Ensure experimental task management APIs use session-scoped generated IDs instead of global static task IDs.
References
Read the full report for CVE-2026-52869 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)