Intel

AIKIDO-2026-577123

mcp is vulnerable to Session Hijacking

Session HijackingGHSA-5p9g-j988-pcwv Published Today

70

High Risk

This Affects:

RUBYmcp
0.1.0 - 0.22.0
Fixed in 0.23.0
Are you affected? Scan for Free

TL;DR

The Streamable HTTP and SSE transports in MCP::Server::Transports::StreamableHTTPTransport do not bind session IDs to the client that created them and never validate session ownership on incoming requests. An attacker who obtains a valid session ID can POST tool calls that execute against the victim's session, with results delivered to the victim's SSE stream. This allows silent session hijacking and unauthorized tool execution against the victim's session. The fix adds a session-ownership hook so requests can be validated against the owning client.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and use the Streamable HTTP or SSE transport where session IDs can be observed by an untrusted party.

Background info

mcp is vulnerable to Session Hijacking in versions 0.1.0 - 0.22.0.

How to fix this

Upgrade the mcp library to the patch version.