CVE-2026-52870 in python-sdk
Summary
by MITRE • 07/15/2026
The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP). From 1.23.0 until 1.27.2, default handlers installed by server.experimental.enable_tasks() for tasks/list, tasks/get, tasks/result, and tasks/cancel operate only on task identifiers without recording the session that created each task, allowing any connected client to enumerate, read results from, consume messages for, or cancel other clients' tasks. This issue is fixed in version 1.27.2.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability in the MCP Python SDK represents a critical access control flaw that undermines the security model of the Model Context Protocol implementation. This issue affects versions 1.23.0 through 1.27.2 where the server.experimental.enable_tasks() function installs default handlers for core task management operations including tasks/list, tasks/get, tasks/result, and tasks/cancel. The fundamental problem lies in the absence of session context validation within these handlers, creating a scenario where any authenticated client can manipulate tasks belonging to other sessions.
The technical flaw stems from improper session isolation mechanisms within the task management subsystem. When default handlers are registered through enable_tasks(), they process task operations based solely on task identifiers without maintaining or verifying the session association that originally created each task. This design oversight creates a privilege escalation vulnerability where clients can enumerate all active tasks across different sessions, read results generated by other clients, consume messages intended for different sessions, and cancel tasks initiated by other users. The absence of proper session validation allows unauthorized access to task resources that should remain isolated between client sessions.
This vulnerability has significant operational impact within environments relying on MCP for secure task execution and management. The lack of session boundaries enables information disclosure where sensitive task results and intermediate processing data can be accessed by unauthorized parties. Additionally, the ability to cancel other clients' tasks creates potential for denial of service attacks that can disrupt legitimate workflow processes. The enumeration capability allows attackers to discover active tasks and potentially identify system behavior patterns or extract metadata about ongoing operations.
The fix implemented in version 1.27.2 addresses this issue by introducing proper session context validation within the task handlers, ensuring that each operation is restricted to tasks belonging to the requesting session. This remediation aligns with security best practices for maintaining proper access control boundaries and session isolation. Organizations using affected versions should immediately upgrade to 1.27.2 or later to prevent potential exploitation of this vulnerability.
This vulnerability classifies under CWE-284 Access Control Issues, specifically representing improper access control due to insufficient session validation. The attack pattern aligns with MITRE ATT&CK technique T1566 Privilege Escalation through the ability to manipulate task resources beyond intended scope. The security implications extend beyond simple information disclosure to include potential system availability impacts through task cancellation and resource consumption manipulation. Organizations should review their deployment configurations to ensure proper session isolation is maintained across all MCP implementations and consider implementing additional monitoring for unauthorized task enumeration or manipulation activities.
The vulnerability demonstrates a common pattern in distributed systems where session management becomes critical for maintaining data integrity and access control boundaries. Proper session context tracking within task handlers ensures that resource ownership semantics are preserved across concurrent client operations, preventing cross-session contamination of task state and results. This incident underscores the importance of implementing comprehensive access control validation mechanisms in multi-client protocol implementations where resource isolation is paramount for security posture maintenance.