Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data.
Details
Root Cause The StreamableHTTPTransport implementation stores only one SSE stream object per session ID and lacks:
- Session-to-user identity binding
- Ownership validation when establishing SSE connections
- Protection against multiple simultaneous connections to the same session
PoC
Vulnerable Code
File: streamable_http_transport.rb - L336-L339:
def store_stream_for_session(session_id, stream)
@mutex.synchronize do
if @sessions[session_id]
@sessions[session_id][:stream] = stream
# OVERWRITES existing stream
else
stream.close
end
end
endAttack Scenario
Step 1: Legitimate Session Establishment
POST / (initialize) → receives session_id: "abc123"
GET / with Mcp-Session-Id: abc123 → SSE stream connectedStep 2: Session ID Compromise
- An attacker obtains the session ID through various means (out of scope for this analysis)
Step 3: Stream Hijacking
GET / with Mcp-Session-Id: abc123
@sessions["abc123"][:stream] = attacker_stream `
# Victim's stream is REPLACED (silently disconnected)Step 4: Data Interception
- ALL subsequent tool responses/notifications go to the attacker
- The legitimate user receives no data and has no indication of the hijacking
Technical Details
The vulnerability happens:
Client 1 connects (GET request)
proc do |stream1|
# ← Rack server provides stream1 for client 1
@sessions[session_id][:stream] = stream1
# Stored
endClient 2 connects with SAME session ID (Attack!)
proc do |stream2|
# ← Rack provides stream2 for client 2
@sessions[session_id][:stream] = stream2
# REPLACES stream1!
endNow when the server sends notifications:
@sessions[session_id][:stream].write(data)
# Goes to stream2 (attacker!)
# stream1 (victim) receives nothingComparison: Python SDK Protection
The Python SDK prevents this vulnerability by rejecting duplicate SSE connections:
Refer: https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685
if GET_STREAM_KEY in self._request_streams:
# pragma: no cover
response = self._create_error_response(
"Conflict: Only one SSE stream is allowed per session",
HTTPStatus.CONFLICT,
)When a duplicate connection attempt is detected, the Python SDK returns an HTTP 409 Conflict error, protecting the existing connection.
Recommended Mitigations For SDK Maintainers
- Implement User Binding: All SDKs should bind session IDs to authenticated user identities where possible. Currently only, go-sdk and csharp-sdk do user binding.
- Ruby SDK: Prevent Duplicate Connections: Implement checks to reject or handle multiple simultaneous connections to the same session
- Improve Documentation: Provide clear guidance on secure session management implementation for SDK consumers
Steps To Reproduce:
Please find attached two python client files demonstrating the attack
Terminal 1: ruby streamable_http_server.rb
Makes use of https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb This server has a tool call notification_tool which the clients call
Terminal 2:
python3 legitimate_client_ruby_server.py
What happens:
- The client connects and prints the session ID
- Press Enter to start the SSE stream
- Notifications start appearing every 3 seconds as the client makes a tool call
Terminal 3 (while the legitimate client is running):
python3 attacker_client_ruby_server.py <SESSION_ID>
Replace <SESSION_ID> with the ID from Terminal 2.
What happens immediately:
- Terminal 2 (Legitimate): Stops receiving notifications, shows disconnect message
- Terminal 3 (Attacker): Starts receiving ALL the tool call responses
Impact
While the absence of user binding may not pose immediate risks if session IDs are not used to store sensitive data or state, the fundamental purpose of session IDs is to maintain stateful connections. If the SDK or its consumers utilize session IDs for sensitive operations without proper user binding controls, this creates a potential security vulnerability. For example: In the case of the Ruby SDK, the attacker was able to hijack the stream and receive all the tool responses belonging to the victim. The tool responses can be sensitive confidential data.
Additional Details
Session Hijacking Protection in MCP Implementations
The MCP specification recommends - "MCP servers SHOULD bind session IDs to user-specific information".
Current Implementation Status Across SDKs
Of the 10 official MCP SDKs, only the following implementations bind session IDs to user-specific information:
- csharp-sdk - https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97
- Go-sdk - https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2
attacker_client_ruby_server.py legitimate_client_ruby_server.py The remaining SDKs do not implement session-to-user binding. Most implementations only verify that a session ID exists, without validating ownership. Additionally, SDK documentation does not provide clear guidance on implementing secure session management, leaving security responsibilities unclear for SDK consumers.
AnalysisAI
Session hijacking in the Model Context Protocol Ruby SDK (mcp gem) allows attackers to intercept Server-Sent Events streams by reusing valid session identifiers. The streamable_http_transport.rb implementation overwrites existing SSE stream objects when a duplicate session ID connects, silently disconnecting legitimate users and redirecting all tool responses and real-time data to the attacker. A proof-of-concept demonstration has been provided showing successful stream hijacking, where the attacker receives confidential tool call responses intended for the victim. Patch available per vendor advisory (release v0.9.2 per references).
Technical ContextAI
The vulnerability affects the Model Context Protocol Ruby SDK (pkg:rubygems/mcp), specifically the StreamableHTTPTransport class responsible for managing Server-Sent Events connections. The root cause is CWE-384 (Session Fixation), where the implementation stores only one SSE stream object per session ID without binding sessions to user identities or validating ownership during connection establishment. When store_stream_for_session is invoked with an existing session ID, the code unconditionally overwrites the existing stream object at line 336-339 of streamable_http_transport.rb. This differs from the Python SDK implementation, which returns HTTP 409 Conflict for duplicate connection attempts. The MCP specification recommends binding session IDs to user-specific information, but only 2 of 10 official MCP SDKs (C
and Go) implement this control. The Ruby SDK lacks both user binding and duplicate connection rejection mechanisms.
RemediationAI
Upgrade the Model Context Protocol Ruby SDK to version 0.9.2 or later per the vendor release at https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2 and commit https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874. For environments where immediate patching is not feasible, implement additional controls such as binding session IDs to authenticated user contexts at the application layer, enforcing short session timeouts, and monitoring for duplicate session connection attempts. Consider implementing similar duplicate connection rejection logic as demonstrated in the Python SDK reference implementation at https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685. Review application logs for suspicious patterns of rapid session ID reuse or concurrent connections with identical session identifiers.
More in Session Fixation
View allSession fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti
An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe
A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex
Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab
Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera
An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s
Same weakness CWE-384 – Session Fixation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16866
GHSA-qvqr-5cv7-wh35