CVE-2026-52870: Broken Object-Level Authorization (BOLA) in Model Context Protocol (MCP) Python SDK
Vulnerability ID: CVE-2026-52870
CVSS Score: 7.6
Published: 2026-07-16
CVE-2026-52870 is a high-severity Broken Object-Level Authorization (BOLA) / Missing Authorization vulnerability (CWE-862) discovered in the experimental tasks feature of the Model Context Protocol (MCP) Python SDK. Under affected versions (< 1.27.2), default handlers registered via server.experimental.enable_tasks() allowed connected clients to enumerate, access, and terminate active tasks belonging to other user sessions due to a lack of session ownership validation. This compromised multi-tenant isolation, allowing authenticated users to extract execution data and cancel running jobs across concurrent connections. The vulnerability has been resolved in version 1.27.2 through session-scoping of task identifiers and transport session pinning.
TL;DR
A Broken Object-Level Authorization (BOLA) vulnerability in MCP Python SDK allows connected clients to list, retrieve, and cancel background tasks belonging to other sessions due to a lack of context validation.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-862 (Missing Authorization)
- Attack Vector: Network (AV:N)
- CVSS Score: 7.6 (High)
- EPSS Score: 0.00227
- EPSS Percentile: 13.38%
- Impact: Multi-tenant Isolation Bypass, Information Disclosure, Denial of Service (DoS)
- Exploit Status: Proof-of-Concept Documented
- KEV Status: Not Listed
Affected Systems
- Model Context Protocol (MCP) Python SDK (mcp PyPI package)
-
python-sdk: >= 1.23.0, < 1.27.2 (Fixed in:
1.27.2)
Code Analysis
Commit: 6213787
Introduce task session-scoping module (task_scope.py) and update default task handlers to enforce requestor scope check.
Commit: ce267b6
Bind session transport state to authenticated identity contexts (session pinning).
Commit: 1abcca2
Propagate OAuth AccessToken subject claims for security context verification.
Exploit Details
- GitHub Security Advisory: Exploit methodology documented in advisory description with example JSON-RPC payloads.
Mitigation Strategies
- Upgrade the mcp Python library to version 1.27.2 or later.
- Disable experimental tasks by removing calls to server.experimental.enable_tasks() in server code.
- Implement custom, session-validated task handlers to enforce context verification on older versions.
Remediation Steps:
- Check current mcp package version using pip show mcp.
- Upgrade the dependency using pip install --upgrade mcp>=1.27.2 or uv add mcp>=1.27.2.
- Verify server initialization code and ensure no deprecated custom task ID flows are active.
- Restart the affected MCP server instances to load the updated package and apply transport-level session pinning.
References
Read the full report for CVE-2026-52870 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)