Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Attacker needs their own valid bearer token (PR:L) plus knowledge of a victim's transient, non-controllable session ID (AC:H) over the network (AV:N); injecting into another session breaches confidentiality and integrity (C:H/I:H) with limited availability impact (A:L).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to 1.27.2, the SSE and stateful Streamable HTTP transports mcp.server.sse.SseServerTransport and mcp.server.streamable_http_manager.StreamableHTTPSessionManager route requests to existing sessions using only the session_id query parameter or Mcp-Session-Id header without verifying the authenticated principal that created the session, allowing a different bearer-token-authenticated client with a known session ID to inject JSON-RPC messages into that session. This issue is fixed in version 1.27.2.
Articles & Coverage 1
AnalysisAI
Cross-session message injection in the MCP Python SDK (the 'mcp' package on PyPI) prior to 1.27.2 allows an authenticated client holding a valid bearer token to hijack another principal's session on the SSE and stateful Streamable HTTP transports. Because SseServerTransport and StreamableHTTPSessionManager route inbound requests using only the session_id query parameter or Mcp-Session-Id header - never checking that the caller is the same authenticated principal who created the session - any bearer-token-authenticated client who learns a victim's session ID can inject arbitrary JSON-RPC messages into that session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the target server to use the MCP Python SDK's stateful SSE transport (SseServerTransport) or stateful Streamable HTTP transport (StreamableHTTPSessionManager) - not stateless mode; (2) the server to authenticate clients with bearer tokens and serve more than one distinct principal over the same endpoint; (3) the attacker to hold their own valid bearer token accepted by that server (PR:L - authenticated); and (4) the attacker to know a victim's active session_id query-parameter value or Mcp-Session-Id header value, which is not attacker-controlled and is transient (this is the AC:H limiting factor). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L, base 7.1, High) is internally consistent with the description and with my independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | In a shared MCP server that authenticates multiple users by bearer token, a low-privileged tenant obtains a valid token of their own and learns another user's active session ID (for example from a proxy log, referrer leak, or shared infrastructure). Using their own valid token but supplying the victim's session_id / Mcp-Session-Id, they send crafted JSON-RPC messages that the server processes within the victim's session context. … |
| Remediation | Vendor-released patch: 1.27.2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and document all systems running MCP SDK versions before 1.27.2, noting deployment context (development, staging, production). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44795