CVE-2026-55604 in MCP Server
Summary
by MITRE • 07/10/2026
DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global `SessionStore` accepts caller-supplied `session_id` values without binding them to any authenticated principal or transport session. An attacker can enumerate active session IDs via `deepseek_sessions`, then reuse a victim-controlled `session_id` in `deepseek_chat` to retrieve and continue the victim's conversation context. Version 1.7.0 contains a patch.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The DeepSeek MCP Server vulnerability represents a critical session management flaw that undermines the security of conversational AI interactions within the platform. This issue affects versions between 1.4.2 and 1.7.0, where the server's SessionStore implementation fails to properly associate session identifiers with authenticated users or transport sessions. The vulnerability stems from a fundamental lack of session binding controls that should prevent unauthorized access to conversation contexts. When attackers can enumerate active session IDs through the deepseek_sessions endpoint, they gain the ability to hijack ongoing conversations by simply reusing valid session identifiers in subsequent deepseek_chat requests.
The technical nature of this flaw aligns with CWE-613, which addresses insufficient session binding, and represents a direct violation of secure session management practices. The vulnerability operates through a process-global SessionStore that accepts arbitrary session_id values without proper validation or authentication checks. This design allows attackers to perform session enumeration attacks against the deepseek_sessions endpoint, discovering valid session identifiers that can then be reused by unauthorized parties. The attacker's ability to reuse victim-controlled session IDs effectively grants them access to the victim's conversation context, potentially exposing sensitive information shared during previous interactions.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables persistent unauthorized access to user conversations and data. Attackers can not only read ongoing conversations but also continue them, potentially manipulating or poisoning the conversation flow while maintaining the appearance of legitimate user activity. This creates a sophisticated attack vector that can be exploited for data exfiltration, social engineering, or even impersonation attacks within the conversational AI environment. The vulnerability effectively breaks the isolation between different users' sessions, creating a scenario where session hijacking becomes trivially possible without requiring additional authentication credentials.
Mitigation strategies should focus on implementing proper session binding mechanisms that associate session identifiers with authenticated principals and transport sessions. The patched version 1.7.0 addresses this by enforcing session binding controls that prevent the reuse of session IDs across different users or contexts. Organizations should implement session validation checks that verify session ownership before allowing access to conversation contexts, utilize secure session generation techniques that include cryptographic binding, and consider implementing session timeout mechanisms that automatically invalidate unused sessions. The solution must align with established security frameworks such as NIST SP 800-63B for identity management and authentication best practices, ensuring that session identifiers cannot be reused without proper authentication or authorization verification to prevent similar vulnerabilities from reoccurring in future implementations.