CVE-2026-25536

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions MCP TypeScript SDK versions 1.10.0 through 1.25.3

Description The MCP TypeScript SDK, designed for Model Context Protocol servers and clients, exhibits a cross-client response data leak. This occurs when a single McpServer/Server and transport instance is reused across multiple client connections, particularly in stateless StreamableHTTPServerTransport deployments. The issue has been addressed in version 1.26.0.

Recommendations Update to version 1.26.0 or later.

Exploit

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1395CWE-362

Related Identifiers

CVE-2026-25536

GHSA-345P-7CG4-V4C7

GHSA-W2FM-25VW-VH7F

Affected Products

Mcp Typescript Sdk

CVE-2026-25536

Weakness Enumeration

Related Identifiers

Affected Products

References · 16