Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Unauthenticated caller-controlled session_id (PR:N/AC:L) exposes victim conversations (C:H) and allows continuing them (I:L); no genuine availability impact, so A:N rather than the vendor's A:L.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global SessionStore accepts caller-supplied session_id values without binding them to any authenticated principal or transport session. An attacker can enumerate active session IDs via deepseek_sessions, then reuse a victim-controlled session_id in deepseek_chat to retrieve and continue the victim's conversation context. Version 1.7.0 contains a patch.
AnalysisAI
Session context hijacking in the arikusi DeepSeek MCP Server (versions 1.4.2 through 1.6.x) lets remote attackers read and continue another user's DeepSeek V4 conversations. The process-global SessionStore trusts any caller-supplied session_id without tying it to an authenticated principal or transport session, so an attacker can enumerate live sessions via the deepseek_sessions tool and then replay a victim's session_id through deepseek_chat. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the DeepSeek MCP Server (v1.4.2-1.6.x) to be reachable by the attacker AND to hold more than one caller's sessions in its process-global SessionStore - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L, base 8.6) portrays a network-reachable, unauthenticated, low-complexity attack with high confidentiality impact - consistent with the description, since enumeration plus replay requires no credentials or victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to a shared or network-exposed DeepSeek MCP Server calls the deepseek_sessions tool to list active session_id values, picks one belonging to a victim, and issues a deepseek_chat request carrying that session_id. The server returns the victim's prior conversation context and lets the attacker continue it, exposing any sensitive data the victim discussed and allowing injected follow-up turns. … |
| Remediation | Vendor-released patch: upgrade to version 1.7.0 (https://github.com/arikusi/deepseek-mcp-server/releases/tag/v1.7.0), which binds session identifiers to their owning principal/transport session. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all systems running arikusi DeepSeek MCP Server versions 1.4.2-1.6.x; isolate from production if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Deepseek Mcp Server
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42720