Skip to main content

DeepSeek MCP Server EUVDEUVD-2026-42720

| CVE-2026-55604 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-09 GitHub_M
8.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
8.2 HIGH

Unauthenticated caller-controlled session_id (PR:N/AC:L) exposes victim conversations (C:H) and allows continuing them (I:L); no genuine availability impact, so A:N rather than the vendor's A:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 23:02 EUVD
Analysis Generated
Jul 09, 2026 - 22:05 vuln.today

DescriptionCVE.org

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global SessionStore accepts caller-supplied session_id values without binding them to any authenticated principal or transport session. An attacker can enumerate active session IDs via deepseek_sessions, then reuse a victim-controlled session_id in deepseek_chat to retrieve and continue the victim's conversation context. Version 1.7.0 contains a patch.

AnalysisAI

Session context hijacking in the arikusi DeepSeek MCP Server (versions 1.4.2 through 1.6.x) lets remote attackers read and continue another user's DeepSeek V4 conversations. The process-global SessionStore trusts any caller-supplied session_id without tying it to an authenticated principal or transport session, so an attacker can enumerate live sessions via the deepseek_sessions tool and then replay a victim's session_id through deepseek_chat. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach network-exposed MCP server
Delivery
Call deepseek_sessions to enumerate IDs
Exploit
Select victim session_id
Execution
Replay id in deepseek_chat
Persist
Retrieve and continue victim conversation
Impact
Exfiltrate sensitive context

Vulnerability AssessmentAI

Exploitation Exploitation requires the DeepSeek MCP Server (v1.4.2-1.6.x) to be reachable by the attacker AND to hold more than one caller's sessions in its process-global SessionStore - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L, base 8.6) portrays a network-reachable, unauthenticated, low-complexity attack with high confidentiality impact - consistent with the description, since enumeration plus replay requires no credentials or victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to a shared or network-exposed DeepSeek MCP Server calls the deepseek_sessions tool to list active session_id values, picks one belonging to a victim, and issues a deepseek_chat request carrying that session_id. The server returns the victim's prior conversation context and lets the attacker continue it, exposing any sensitive data the victim discussed and allowing injected follow-up turns. …
Remediation Vendor-released patch: upgrade to version 1.7.0 (https://github.com/arikusi/deepseek-mcp-server/releases/tag/v1.7.0), which binds session identifiers to their owning principal/transport session. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running arikusi DeepSeek MCP Server versions 1.4.2-1.6.x; isolate from production if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy