{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mcp-python-sdk--1.27.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-52869"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MCP Python SDK \u003c= 1.27.1"],"_cs_severities":["high"],"_cs_tags":["vulnerability","authentication-bypass","python","sdk","web-application"],"_cs_type":"advisory","_cs_vendors":["MCP"],"content_html":"\u003cp\u003eA significant authentication bypass vulnerability, identified as CVE-2026-52869, has been discovered in the MCP Python SDK versions up to 1.27.1. This flaw specifically impacts application servers using either the SSE (\u003ccode\u003emcp.server.sse.SseServerTransport\u003c/code\u003e) or Streamable HTTP (\u003ccode\u003emcp.server.streamable_http_manager.StreamableHTTPSessionManager\u003c/code\u003e) transports in stateful mode, particularly when authentication is configured. The vulnerability stems from the transports routing incoming requests to an existing session based solely on the session identifier (a query parameter or header), without validating that the request originates from the same authenticated principal who initially created the session. This oversight allows an attacker who can acquire or guess a session ID to inject unauthorized JSON-RPC messages into an active session, effectively bypassing the per-client isolation intended by authentication. The SSE transport has been affected since its initial release, while the Streamable HTTP transport became vulnerable in version 1.8.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Reconnaissance\u003c/strong\u003e: The attacker identifies a target application server utilizing the MCP Python SDK with HTTP transports (SSE or Streamable HTTP) and configured authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSession ID Acquisition\u003c/strong\u003e: The attacker obtains an active session ID for a legitimate user through out-of-band means such as sniffing network traffic, log compromise, or brute-forcing (session IDs are UUIDs, making brute-force difficult but not impossible).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCrafting Malicious Request\u003c/strong\u003e: The attacker crafts a request containing malicious JSON-RPC messages, including the obtained legitimate \u003ccode\u003esession_id\u003c/code\u003e (for SSE) or \u003ccode\u003eMcp-Session-Id\u003c/code\u003e header (for Streamable HTTP).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Bypass\u003c/strong\u003e: The attacker sends the malicious request to the vulnerable server. The server routes the request to the target session solely based on the session ID, bypassing principal authentication checks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMessage Injection\u003c/strong\u003e: The server processes the attacker's JSON-RPC messages within the context of the legitimate user's session, despite the request carrying a different or invalid bearer token.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact on Session\u003c/strong\u003e: The injected messages can alter the session state, perform unauthorized actions, or exfiltrate sensitive information, depending on the application's functionality.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResponse Delivery\u003c/strong\u003e: For SSE, the response to the injected message is delivered to the original legitimate client's event stream. For Streamable HTTP, the injecting client receives the response directly.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAchieve Objective\u003c/strong\u003e: The attacker successfully compromises session integrity, leading to unauthorized data manipulation or access, bypassing the intended per-client isolation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successfully exploited, CVE-2026-52869 allows an attacker to bypass critical per-client isolation mechanisms provided by authentication in application servers using the MCP Python SDK's HTTP transports. This means that an attacker, upon obtaining a valid session ID, can inject arbitrary JSON-RPC messages into another user's active session. The direct consequence is unauthorized access and potential manipulation of session-dependent data or functionality. While session IDs are randomly generated UUIDs, making blind guessing difficult, any out-of-band leakage (e.g., via logs, network observation, or cross-site scripting) would enable exploitation. The impact could range from data corruption or unauthorized information disclosure to complete account compromise, depending on the privileges associated with the compromised session and the capabilities of the JSON-RPC interface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003epip/mcp\u003c/code\u003e package to version 1.27.2 or later immediately to address CVE-2026-52869.\u003c/li\u003e\n\u003cli\u003eEnsure that, for deployments where many end users share a single OAuth client, the token verifier populates \u003ccode\u003eAccessToken.subject\u003c/code\u003e (e.g., from the token's \u003ccode\u003esub\u003c/code\u003e claim) to enforce per-user session isolation.\u003c/li\u003e\n\u003cli\u003eReview custom authentication backends, if used, to ensure they enforce equivalent principal verification checks as introduced in MCP Python SDK 1.27.2.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T19:59:49Z","date_published":"2026-07-16T19:59:49Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mcp-python-sdk-auth-bypass/","summary":"A high-severity authentication bypass vulnerability, CVE-2026-52869, exists in affected versions of the MCP Python SDK's HTTP transports, allowing an attacker who obtains or guesses a session ID to send JSON-RPC messages to an existing session without verifying the authenticated principal, thereby bypassing per-client isolation and potentially injecting messages.","title":"MCP Python SDK Authentication Bypass Vulnerability (CVE-2026-52869)","url":"https://feed.craftedsignal.io/briefs/2026-07-mcp-python-sdk-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - MCP Python SDK \u003c= 1.27.1","version":"https://jsonfeed.org/version/1.1"}