Product
A high-severity authentication bypass vulnerability, CVE-2026-52869, exists in affected versions of the MCP Python SDK's HTTP transports, allowing an attacker who obtains or guesses a session ID to send JSON-RPC messages to an existing session without verifying the authenticated principal, thereby bypassing per-client isolation and potentially injecting messages.