DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-52870: CVE-2026-52870: Broken Object-Level Authorization (BOLA) in Model Context Protocol (MCP) Python SDK

CVE-2026-52870: Broken Object-Level Authorization (BOLA) in Model Context Protocol (MCP) Python SDK

Vulnerability ID: CVE-2026-52870
CVSS Score: 7.6
Published: 2026-07-16

CVE-2026-52870 is a high-severity Broken Object-Level Authorization (BOLA) / Missing Authorization vulnerability (CWE-862) discovered in the experimental tasks feature of the Model Context Protocol (MCP) Python SDK. Under affected versions (< 1.27.2), default handlers registered via server.experimental.enable_tasks() allowed connected clients to enumerate, access, and terminate active tasks belonging to other user sessions due to a lack of session ownership validation. This compromised multi-tenant isolation, allowing authenticated users to extract execution data and cancel running jobs across concurrent connections. The vulnerability has been resolved in version 1.27.2 through session-scoping of task identifiers and transport session pinning.

TL;DR

A Broken Object-Level Authorization (BOLA) vulnerability in MCP Python SDK allows connected clients to list, retrieve, and cancel background tasks belonging to other sessions due to a lack of context validation.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862 (Missing Authorization)
  • Attack Vector: Network (AV:N)
  • CVSS Score: 7.6 (High)
  • EPSS Score: 0.00227
  • EPSS Percentile: 13.38%
  • Impact: Multi-tenant Isolation Bypass, Information Disclosure, Denial of Service (DoS)
  • Exploit Status: Proof-of-Concept Documented
  • KEV Status: Not Listed

Affected Systems

  • Model Context Protocol (MCP) Python SDK (mcp PyPI package)
  • python-sdk: >= 1.23.0, < 1.27.2 (Fixed in: 1.27.2)

Code Analysis

Commit: 6213787

Introduce task session-scoping module (task_scope.py) and update default task handlers to enforce requestor scope check.

Commit: ce267b6

Bind session transport state to authenticated identity contexts (session pinning).

Commit: 1abcca2

Propagate OAuth AccessToken subject claims for security context verification.

Exploit Details

Mitigation Strategies

  • Upgrade the mcp Python library to version 1.27.2 or later.
  • Disable experimental tasks by removing calls to server.experimental.enable_tasks() in server code.
  • Implement custom, session-validated task handlers to enforce context verification on older versions.

Remediation Steps:

  1. Check current mcp package version using pip show mcp.
  2. Upgrade the dependency using pip install --upgrade mcp>=1.27.2 or uv add mcp>=1.27.2.
  3. Verify server initialization code and ensure no deprecated custom task ID flows are active.
  4. Restart the affected MCP server instances to load the updated package and apply transport-level session pinning.

References


Read the full report for CVE-2026-52870 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)