Python Sdk
Monthly
Cross-origin WebSocket hijacking in the Model Context Protocol Python SDK (mcp on PyPI) before 1.28.1 lets a remote web page connect to any application exposing the deprecated mcp.server.websocket.websocket_server transport, because that transport accepted handshakes without Host or Origin validation and offered no SDK-level control to restrict connecting origins. A malicious site loaded in a victim's browser can therefore open an MCP session against a locally reachable server and drive its tools. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the tags flag it as information disclosure.
Missing authorization in the MCP Python SDK (the `mcp` PyPI package) versions 1.23.0 through 1.27.1 lets any authenticated client of a multi-client server enumerate, read the results of, consume messages from, or cancel tasks belonging to other clients. The default handlers wired up by `server.experimental.enable_tasks()` for tasks/list, tasks/get, tasks/result, and tasks/cancel key solely on the task identifier and never bind a task to the session that created it. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the upstream fix, deprecation warnings, and detailed advisory confirm the flaw; it is resolved in version 1.27.2.
Cross-session message injection in the MCP Python SDK (the 'mcp' package on PyPI) prior to 1.27.2 allows an authenticated client holding a valid bearer token to hijack another principal's session on the SSE and stateful Streamable HTTP transports. Because SseServerTransport and StreamableHTTPSessionManager route inbound requests using only the session_id query parameter or Mcp-Session-Id header - never checking that the caller is the same authenticated principal who created the session - any bearer-token-authenticated client who learns a victim's session ID can inject arbitrary JSON-RPC messages into that session. There is no public exploit identified at time of analysis and no CISA KEV listing; the flaw is fixed in version 1.27.2.
Cross-origin WebSocket hijacking in the Model Context Protocol Python SDK (mcp on PyPI) before 1.28.1 lets a remote web page connect to any application exposing the deprecated mcp.server.websocket.websocket_server transport, because that transport accepted handshakes without Host or Origin validation and offered no SDK-level control to restrict connecting origins. A malicious site loaded in a victim's browser can therefore open an MCP session against a locally reachable server and drive its tools. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the tags flag it as information disclosure.
Missing authorization in the MCP Python SDK (the `mcp` PyPI package) versions 1.23.0 through 1.27.1 lets any authenticated client of a multi-client server enumerate, read the results of, consume messages from, or cancel tasks belonging to other clients. The default handlers wired up by `server.experimental.enable_tasks()` for tasks/list, tasks/get, tasks/result, and tasks/cancel key solely on the task identifier and never bind a task to the session that created it. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the upstream fix, deprecation warnings, and detailed advisory confirm the flaw; it is resolved in version 1.27.2.
Cross-session message injection in the MCP Python SDK (the 'mcp' package on PyPI) prior to 1.27.2 allows an authenticated client holding a valid bearer token to hijack another principal's session on the SSE and stateful Streamable HTTP transports. Because SseServerTransport and StreamableHTTPSessionManager route inbound requests using only the session_id query parameter or Mcp-Session-Id header - never checking that the caller is the same authenticated principal who created the session - any bearer-token-authenticated client who learns a victim's session ID can inject arbitrary JSON-RPC messages into that session. There is no public exploit identified at time of analysis and no CISA KEV listing; the flaw is fixed in version 1.27.2.