Skip to main content

Deepseek Mcp Server

2 CVEs product

Monthly

CVE-2026-55604 HIGH PATCH This Week

Session context hijacking in the arikusi DeepSeek MCP Server (versions 1.4.2 through 1.6.x) lets remote attackers read and continue another user's DeepSeek V4 conversations. The process-global SessionStore trusts any caller-supplied session_id without tying it to an authenticated principal or transport session, so an attacker can enumerate live sessions via the deepseek_sessions tool and then replay a victim's session_id through deepseek_chat. No public exploit identified at time of analysis and it is not on CISA KEV, but the mechanics are trivial and fully described in the vendor advisory (GHSA-fh3r-g96v-f578); version 1.7.0 fixes it.

Authentication Bypass Deepseek Mcp Server
NVD GitHub
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-55605 MEDIUM PATCH This Month

Unauthenticated access to the self-hosted HTTP transport of DeepSeek MCP Server (versions 1.4.2-1.7.x) allows any network-reachable client to initialize a valid MCP session, enumerate server tools, and invoke them without credentials - including `deepseek_chat`, which silently consumes the server operator's `DEEPSEEK_API_KEY`. Default Docker deployments expose port 3000 in HTTP mode out of the box, maximizing the attack surface for any container running on a network-accessible host. No public exploit has been identified at time of analysis, though the GitHub advisory references reproduced testing confirming the full bypass against commit `5e1302171e99`.

Authentication Bypass Docker Deepseek Mcp Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.4%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Session context hijacking in the arikusi DeepSeek MCP Server (versions 1.4.2 through 1.6.x) lets remote attackers read and continue another user's DeepSeek V4 conversations. The process-global SessionStore trusts any caller-supplied session_id without tying it to an authenticated principal or transport session, so an attacker can enumerate live sessions via the deepseek_sessions tool and then replay a victim's session_id through deepseek_chat. No public exploit identified at time of analysis and it is not on CISA KEV, but the mechanics are trivial and fully described in the vendor advisory (GHSA-fh3r-g96v-f578); version 1.7.0 fixes it.

Authentication Bypass Deepseek Mcp Server
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated access to the self-hosted HTTP transport of DeepSeek MCP Server (versions 1.4.2-1.7.x) allows any network-reachable client to initialize a valid MCP session, enumerate server tools, and invoke them without credentials - including `deepseek_chat`, which silently consumes the server operator's `DEEPSEEK_API_KEY`. Default Docker deployments expose port 3000 in HTTP mode out of the box, maximizing the attack surface for any container running on a network-accessible host. No public exploit has been identified at time of analysis, though the GitHub advisory references reproduced testing confirming the full bypass against commit `5e1302171e99`.

Authentication Bypass Docker Deepseek Mcp Server
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy