Skip to main content

Python Sdk

3 CVEs product

Monthly

CVE-2026-59950 HIGH PATCH This Week

Cross-origin WebSocket hijacking in the Model Context Protocol Python SDK (mcp on PyPI) before 1.28.1 lets a remote web page connect to any application exposing the deprecated mcp.server.websocket.websocket_server transport, because that transport accepted handshakes without Host or Origin validation and offered no SDK-level control to restrict connecting origins. A malicious site loaded in a victim's browser can therefore open an MCP session against a locally reachable server and drive its tools. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the tags flag it as information disclosure.

Python Information Disclosure Python Sdk
NVD GitHub
CVSS 4.0
7.6
EPSS
0.2%
CVE-2026-52870 HIGH PATCH This Week

Missing authorization in the MCP Python SDK (the `mcp` PyPI package) versions 1.23.0 through 1.27.1 lets any authenticated client of a multi-client server enumerate, read the results of, consume messages from, or cancel tasks belonging to other clients. The default handlers wired up by `server.experimental.enable_tasks()` for tasks/list, tasks/get, tasks/result, and tasks/cancel key solely on the task identifier and never bind a task to the session that created it. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the upstream fix, deprecation warnings, and detailed advisory confirm the flaw; it is resolved in version 1.27.2.

Python Authentication Bypass Python Sdk
NVD GitHub
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-52869 HIGH PATCH This Week

Cross-session message injection in the MCP Python SDK (the 'mcp' package on PyPI) prior to 1.27.2 allows an authenticated client holding a valid bearer token to hijack another principal's session on the SSE and stateful Streamable HTTP transports. Because SseServerTransport and StreamableHTTPSessionManager route inbound requests using only the session_id query parameter or Mcp-Session-Id header - never checking that the caller is the same authenticated principal who created the session - any bearer-token-authenticated client who learns a victim's session ID can inject arbitrary JSON-RPC messages into that session. There is no public exploit identified at time of analysis and no CISA KEV listing; the flaw is fixed in version 1.27.2.

Python Authentication Bypass Python Sdk
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Cross-origin WebSocket hijacking in the Model Context Protocol Python SDK (mcp on PyPI) before 1.28.1 lets a remote web page connect to any application exposing the deprecated mcp.server.websocket.websocket_server transport, because that transport accepted handshakes without Host or Origin validation and offered no SDK-level control to restrict connecting origins. A malicious site loaded in a victim's browser can therefore open an MCP session against a locally reachable server and drive its tools. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the tags flag it as information disclosure.

Python Information Disclosure Python Sdk
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Missing authorization in the MCP Python SDK (the `mcp` PyPI package) versions 1.23.0 through 1.27.1 lets any authenticated client of a multi-client server enumerate, read the results of, consume messages from, or cancel tasks belonging to other clients. The default handlers wired up by `server.experimental.enable_tasks()` for tasks/list, tasks/get, tasks/result, and tasks/cancel key solely on the task identifier and never bind a task to the session that created it. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the upstream fix, deprecation warnings, and detailed advisory confirm the flaw; it is resolved in version 1.27.2.

Python Authentication Bypass Python Sdk
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-session message injection in the MCP Python SDK (the 'mcp' package on PyPI) prior to 1.27.2 allows an authenticated client holding a valid bearer token to hijack another principal's session on the SSE and stateful Streamable HTTP transports. Because SseServerTransport and StreamableHTTPSessionManager route inbound requests using only the session_id query parameter or Mcp-Session-Id header - never checking that the caller is the same authenticated principal who created the session - any bearer-token-authenticated client who learns a victim's session ID can inject arbitrary JSON-RPC messages into that session. There is no public exploit identified at time of analysis and no CISA KEV listing; the flaw is fixed in version 1.27.2.

Python Authentication Bypass Python Sdk
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy