PT-2026-53225 · Pypi · Mcp Python Sdk
Published
2026-06-27
·
Updated
2026-06-28
·
CVE-2026-52869
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions
mcp Python SDK versions prior to 1.27.2
Description
Principal confusion exists in the HTTP transports of the mcp Python SDK. Specifically, the SSE and Streamable HTTP stateful mode routed sessions fail to verify if the principal matches the session creator. This allows an attacker who possesses a session ID to hijack the session.
Recommendations
Update to version 1.27.2.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mcp Python Sdk