{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mcp--1.23.0--1.27.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.6,"id":"CVE-2026-52870"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mcp (\u003e= 1.23.0, \u003c= 1.27.1)"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","server-side-request-forgery","data-exfiltration","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["MCP"],"content_html":"\u003cp\u003eA significant vulnerability, tracked as CVE-2026-52870, has been identified in the experimental tasks feature of the MCP Python SDK, affecting versions 1.23.0 through 1.27.1. When developers explicitly enable this feature by calling \u003ccode\u003eserver.experimental.enable_tasks()\u003c/code\u003e, the default request handlers for tasks (\u003ccode\u003etasks/list\u003c/code\u003e, \u003ccode\u003etasks/get\u003c/code\u003e, \u003ccode\u003etasks/result\u003c/code\u003e, \u003ccode\u003etasks/cancel\u003c/code\u003e) fail to validate which client session created a specific task. This critical oversight allows any client connected to the server to enumerate, access, retrieve results from, and cancel tasks initiated by other clients. The impact includes unauthorized disclosure of task results and elicitation payloads, interception of messages intended for other clients, and potential denial of service by prematurely terminating ongoing tasks. This flaw presents a serious risk to multi-client applications utilizing the experimental task management functionality, enabling malicious clients to disrupt operations and exfiltrate sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes a connection to a server running the vulnerable MCP Python SDK application with \u003ccode\u003eserver.experimental.enable_tasks()\u003c/code\u003e enabled, posing as a legitimate client.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003etasks/list\u003c/code\u003e request to the server, which, due to the vulnerability, returns a list of all active tasks across all connected client sessions.\u003c/li\u003e\n\u003cli\u003eUsing the task identifiers obtained from the \u003ccode\u003etasks/list\u003c/code\u003e response, the attacker sends \u003ccode\u003etasks/get\u003c/code\u003e and \u003ccode\u003etasks/result\u003c/code\u003e requests to retrieve the status and outcomes of tasks belonging to other clients.\u003c/li\u003e\n\u003cli\u003eThe attacker may also retrieve queued task messages, such as elicitation requests, intended for other clients, effectively consuming messages and preventing the legitimate recipient from receiving them.\u003c/li\u003e\n\u003cli\u003eThe attacker can then analyze the sensitive data contained within these task results or messages.\u003c/li\u003e\n\u003cli\u003eAs a final step, the attacker sends \u003ccode\u003etasks/cancel\u003c/code\u003e requests for tasks identified in previous steps, terminating legitimate operations initiated by other clients, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eServers utilizing the affected MCP Python SDK versions (1.23.0 to 1.27.1) with the experimental tasks feature enabled are at risk. This vulnerability allows for unauthorized access to sensitive task results and elicitation payloads belonging to other clients, compromising data confidentiality. Furthermore, attackers can intercept messages meant for legitimate clients and disrupt service by canceling tasks, leading to operational downtime or data inconsistencies. The direct consequences could range from competitive intelligence gathering to sabotage of critical business processes, particularly in environments where multiple clients interact with shared server resources. The number of directly affected organizations depends on the adoption rate of this specific experimental and opt-in feature.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the MCP Python SDK to version 1.27.2 or later immediately to address CVE-2026-52870, which embeds opaque per-session markers in task IDs and restricts access to session-specific tasks.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not feasible, ensure that the \u003ccode\u003eserver.experimental.enable_tasks()\u003c/code\u003e feature is disabled in your application configuration.\u003c/li\u003e\n\u003cli\u003eFor applications requiring task handlers, register custom handlers that explicitly validate session ownership for each task request (\u003ccode\u003etasks/list\u003c/code\u003e, \u003ccode\u003etasks/get\u003c/code\u003e, \u003ccode\u003etasks/result\u003c/code\u003e, \u003ccode\u003etasks/cancel\u003c/code\u003e) to prevent unauthorized cross-client access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T19:57:09Z","date_published":"2026-07-16T19:57:09Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mcp-python-sdk-task-handler-vulnerability/","summary":"A high-severity vulnerability (CVE-2026-52870) in the MCP Python SDK's experimental task handlers, specifically in versions 1.23.0 through 1.27.1, allows any connected client to observe, read results from, and cancel tasks belonging to other clients due to a lack of session validation, potentially leading to unauthorized data access and denial of service.","title":"MCP Python SDK Vulnerability Allows Cross-Client Task Access and Cancellation (CVE-2026-52870)","url":"https://feed.craftedsignal.io/briefs/2026-07-mcp-python-sdk-task-handler-vulnerability/"}],"language":"en","title":"CraftedSignal Threat Feed - Mcp (\u003e= 1.23.0, \u003c= 1.27.1)","version":"https://jsonfeed.org/version/1.1"}