CVE-2026-52869 | modelcontextprotocol python-sdk up to 1.27.1 SSE Transport/Streamable HTTP Transport server.sse session_id/Mcp-Session-Id injection

SecurityVulns

A vulnerability marked as critical has been reported in modelcontextprotocol python-sdk up to 1.27.1. The impacted element is an unknown function of the file server.sse of the component SSE Transport/Streamable HTTP Transport. The manipulation of the argument session_id/Mcp-Session-Id leads to injection.

This vulnerability is uniquely identified as CVE-2026-52869. The attack is possible to be carried out remotely. No exploit exists.VulDB Recent EntriesRead More