Skip to main content

Session Fixation CVE-2026-33946

| EUVDEUVD-2026-16866 HIGH
Session Fixation (CWE-384)
2026-03-27 https://github.com/modelcontextprotocol/ruby-sdk GHSA-qvqr-5cv7-wh35
8.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 27, 2026 - 19:00 euvd
EUVD-2026-16866
Analysis Generated
Mar 27, 2026 - 19:00 vuln.today
Patch released
Mar 27, 2026 - 19:00 nvd
Patch available
CVE Published
Mar 27, 2026 - 18:36 nvd
HIGH 8.2

DescriptionGitHub Advisory

Summary

The Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data.

Details

Root Cause The StreamableHTTPTransport implementation stores only one SSE stream object per session ID and lacks:

  • Session-to-user identity binding
  • Ownership validation when establishing SSE connections
  • Protection against multiple simultaneous connections to the same session

PoC

Vulnerable Code

File: streamable_http_transport.rb - L336-L339:

def store_stream_for_session(session_id, stream)
  @mutex.synchronize do
    if @sessions[session_id]
      @sessions[session_id][:stream] = stream
# OVERWRITES existing stream
    else
      stream.close
    end
  end
end
Attack Scenario

Step 1: Legitimate Session Establishment

POST / (initialize) → receives session_id: "abc123"
GET / with Mcp-Session-Id: abc123 → SSE stream connected

Step 2: Session ID Compromise

  • An attacker obtains the session ID through various means (out of scope for this analysis)

Step 3: Stream Hijacking

GET / with Mcp-Session-Id: abc123
@sessions["abc123"][:stream] = attacker_stream `
# Victim's stream is REPLACED (silently disconnected)

Step 4: Data Interception

  • ALL subsequent tool responses/notifications go to the attacker
  • The legitimate user receives no data and has no indication of the hijacking
Technical Details

The vulnerability happens:

Client 1 connects (GET request)

proc do |stream1|
# ← Rack server provides stream1 for client 1
 @sessions[session_id][:stream] = stream1
# Stored
end

Client 2 connects with SAME session ID (Attack!)

proc do |stream2|
# ← Rack provides stream2 for client 2
 @sessions[session_id][:stream] = stream2
# REPLACES stream1!
end

Now when the server sends notifications:

@sessions[session_id][:stream].write(data)
# Goes to stream2 (attacker!)
# stream1 (victim) receives nothing

Comparison: Python SDK Protection

The Python SDK prevents this vulnerability by rejecting duplicate SSE connections:

Refer: https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685

if GET_STREAM_KEY in self._request_streams:
# pragma: no cover
            response = self._create_error_response(
                "Conflict: Only one SSE stream is allowed per session",
                HTTPStatus.CONFLICT,
            )

When a duplicate connection attempt is detected, the Python SDK returns an HTTP 409 Conflict error, protecting the existing connection.

Recommended Mitigations For SDK Maintainers

  • Implement User Binding: All SDKs should bind session IDs to authenticated user identities where possible. Currently only, go-sdk and csharp-sdk do user binding.
  • Ruby SDK: Prevent Duplicate Connections: Implement checks to reject or handle multiple simultaneous connections to the same session
  • Improve Documentation: Provide clear guidance on secure session management implementation for SDK consumers

Steps To Reproduce:

Please find attached two python client files demonstrating the attack

Terminal 1: ruby streamable_http_server.rb

Makes use of https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb This server has a tool call notification_tool which the clients call

Terminal 2:

python3 legitimate_client_ruby_server.py

What happens:

  • The client connects and prints the session ID
  • Press Enter to start the SSE stream
  • Notifications start appearing every 3 seconds as the client makes a tool call

Terminal 3 (while the legitimate client is running):

python3 attacker_client_ruby_server.py <SESSION_ID>

Replace <SESSION_ID> with the ID from Terminal 2.

What happens immediately:

  • Terminal 2 (Legitimate): Stops receiving notifications, shows disconnect message
  • Terminal 3 (Attacker): Starts receiving ALL the tool call responses

Impact

While the absence of user binding may not pose immediate risks if session IDs are not used to store sensitive data or state, the fundamental purpose of session IDs is to maintain stateful connections. If the SDK or its consumers utilize session IDs for sensitive operations without proper user binding controls, this creates a potential security vulnerability. For example: In the case of the Ruby SDK, the attacker was able to hijack the stream and receive all the tool responses belonging to the victim. The tool responses can be sensitive confidential data.

Additional Details

Session Hijacking Protection in MCP Implementations

The MCP specification recommends - "MCP servers SHOULD bind session IDs to user-specific information".

Current Implementation Status Across SDKs

Of the 10 official MCP SDKs, only the following implementations bind session IDs to user-specific information:

  1. csharp-sdk - https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97
  2. Go-sdk - https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2

attacker_client_ruby_server.py legitimate_client_ruby_server.py The remaining SDKs do not implement session-to-user binding. Most implementations only verify that a session ID exists, without validating ownership. Additionally, SDK documentation does not provide clear guidance on implementing secure session management, leaving security responsibilities unclear for SDK consumers.

AnalysisAI

Session hijacking in the Model Context Protocol Ruby SDK (mcp gem) allows attackers to intercept Server-Sent Events streams by reusing valid session identifiers. The streamable_http_transport.rb implementation overwrites existing SSE stream objects when a duplicate session ID connects, silently disconnecting legitimate users and redirecting all tool responses and real-time data to the attacker. A proof-of-concept demonstration has been provided showing successful stream hijacking, where the attacker receives confidential tool call responses intended for the victim. Patch available per vendor advisory (release v0.9.2 per references).

Technical ContextAI

The vulnerability affects the Model Context Protocol Ruby SDK (pkg:rubygems/mcp), specifically the StreamableHTTPTransport class responsible for managing Server-Sent Events connections. The root cause is CWE-384 (Session Fixation), where the implementation stores only one SSE stream object per session ID without binding sessions to user identities or validating ownership during connection establishment. When store_stream_for_session is invoked with an existing session ID, the code unconditionally overwrites the existing stream object at line 336-339 of streamable_http_transport.rb. This differs from the Python SDK implementation, which returns HTTP 409 Conflict for duplicate connection attempts. The MCP specification recommends binding session IDs to user-specific information, but only 2 of 10 official MCP SDKs (C

and Go) implement this control. The Ruby SDK lacks both user binding and duplicate connection rejection mechanisms.

RemediationAI

Upgrade the Model Context Protocol Ruby SDK to version 0.9.2 or later per the vendor release at https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2 and commit https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874. For environments where immediate patching is not feasible, implement additional controls such as binding session IDs to authenticated user contexts at the application layer, enforcing short session timeouts, and monitoring for duplicate session connection attempts. Consider implementing similar duplicate connection rejection logic as demonstrated in the Python SDK reference implementation at https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685. Review application logs for suspicious patterns of rapid session ID reuse or concurrent connections with identical session identifiers.

CVE-2017-12965 CRITICAL POC
9.8 Aug 23

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa

CVE-2025-28242 CRITICAL POC
9.8 Apr 18

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session

CVE-2022-40916 CRITICAL POC
9.8 Feb 06

Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2025-45949 CRITICAL POC
9.8 Apr 28

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login

CVE-2023-48929 CRITICAL POC
9.8 Dec 08

Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti

CVE-2023-41012 CRITICAL POC
9.8 Sep 05

An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe

CVE-2023-31498 CRITICAL POC
9.8 May 11

A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex

CVE-2022-3269 CRITICAL POC
9.8 Sep 23

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab

CVE-2021-39290 CRITICAL POC
9.8 Aug 23

Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera

CVE-2020-11729 CRITICAL POC
9.8 Apr 15

An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v

CVE-2019-18418 CRITICAL POC
9.8 Oct 24

clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be

CVE-2018-18925 CRITICAL POC
9.8 Nov 04

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s

Share

CVE-2026-33946 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy