PT-2026-53226 · Pypi · Mcp Python Sdk

Published

2026-06-27

·

Updated

2026-06-27

·

CVE-2026-52870

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions MCP Python SDK versions prior to 1.27.2
Description A missing authorization issue exists in the official Model Context Protocol Python SDK. On multi-client servers, the default request handlers registered by the experimental enable tasks() helper do not verify the identity of the caller, relying solely on task IDs and storing active workflows in a single global server store. This allows any authenticated client to enumerate, read, and hijack or cancel tasks belonging to other clients.
Recommendations Update to version 1.27.2 or later.
Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2026-52870

Affected Products

Mcp Python Sdk