CVE-2026-52869 in python-sdkinfo

Summary

by MITRE • 07/15/2026

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to 1.27.2, the SSE and stateful Streamable HTTP transports mcp.server.sse.SseServerTransport and mcp.server.streamable_http_manager.StreamableHTTPSessionManager route requests to existing sessions using only the session_id query parameter or Mcp-Session-Id header without verifying the authenticated principal that created the session, allowing a different bearer-token-authenticated client with a known session ID to inject JSON-RPC messages into that session. This issue is fixed in version 1.27.2.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/15/2026

The mcp Python SDK represents a critical implementation flaw within the Model Context Protocol ecosystem that exposes systems to unauthorized message injection attacks through improper session validation mechanisms. This vulnerability affects versions prior to 1.27.2 of the mcp package distributed on PyPI, where the server-side transports for Server-Sent Events and stateful HTTP streaming fail to establish proper authentication verification before routing incoming requests to existing sessions. The flaw exists specifically in the mcp.server.sse.SseServerTransport and mcp.server.streamable_http_manager.StreamableHTTPSessionManager components that handle session management for these transport protocols.

The technical implementation defect stems from the absence of principal validation when processing session identifiers, allowing attackers to exploit the system through known session IDs obtained through various means such as session enumeration or prediction. When a client establishes a session through proper authentication with bearer tokens, the system correctly creates and associates that session with the authenticated principal. However, subsequent requests using only the session_id query parameter or Mcp-Session-Id header bypass the authentication verification process, enabling any attacker who knows a valid session ID to inject arbitrary JSON-RPC messages into that session context.

This vulnerability directly maps to CWE-287 - Improper Authentication and aligns with ATT&CK technique T1078 - Valid Accounts, as it allows unauthorized access through legitimate session identifiers. The impact extends beyond simple message injection to potentially enable privilege escalation and data manipulation within the session context, particularly when sessions contain elevated privileges or access to sensitive operations. An attacker could leverage this weakness to execute unauthorized commands, access restricted resources, or manipulate session state in ways that bypass normal security controls.

The operational implications of this vulnerability are significant for any system relying on mcp for protocol handling, as it creates an attack surface where session hijacking becomes trivially possible. Organizations using affected versions face risks including unauthorized data access, command execution within authenticated contexts, and potential lateral movement through compromised sessions. The fix implemented in version 1.27.2 addresses this by enforcing proper authentication verification before routing requests to existing sessions, ensuring that only clients authenticated with the same principal that created the session can inject messages into it. This remediation follows standard security practices for session management and aligns with industry best practices for maintaining session integrity and preventing unauthorized access through session identifier reuse.

The vulnerability demonstrates a common pattern in distributed systems where transport-level security mechanisms fail to properly validate authentication contexts, creating opportunities for attackers to exploit session identifiers without proper authorization checks. This type of flaw typically arises from insufficient separation between session identification and authentication verification phases in the request processing pipeline, where session lookups occur before principal validation occurs. The fix represents a necessary security hardening measure that enforces proper access control boundaries at the session routing level, preventing the injection of messages into sessions without proper authorization through the original authenticated principal.

Responsible

GitHub M

Reservation

06/08/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!