PT-2026-53225 · Pypi · Mcp Python Sdk

Published

2026-06-27

·

Updated

2026-06-28

·

CVE-2026-52869

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions mcp Python SDK versions prior to 1.27.2
Description Principal confusion exists in the HTTP transports of the mcp Python SDK. Specifically, the SSE and Streamable HTTP stateful mode routed sessions fail to verify if the principal matches the session creator. This allows an attacker who possesses a session ID to hijack the session.
Recommendations Update to version 1.27.2.
Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2026-52869

Affected Products

Mcp Python Sdk