High severityNVD Advisory· Published Feb 4, 2026· Updated Feb 5, 2026
@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse
CVE-2026-25536
Description
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@modelcontextprotocol/sdknpm | >= 1.10.0, < 1.26.0 | 1.26.0 |
Affected products
16- osv-coords15 versionspkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/langfuse-3pkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3pkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/wolfi/langfuse-3pkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/opensearch-dashboards-2pkg:npm/%40modelcontextprotocol/sdk
< 9.1.10-r4+ 14 more
- (no CPE)range: < 9.1.10-r4
- (no CPE)range: < 9.1.10-r4
- (no CPE)range: < 9.2.5-r0
- (no CPE)range: < 9.2.5-r0
- (no CPE)range: < 3.153.0-r0
- (no CPE)range: < 3.153.0-r0
- (no CPE)range: < 3.152.0-r0
- (no CPE)range: < 3.152.0-r0
- (no CPE)range: < 0.8.2-r2
- (no CPE)range: < 2.19.4-r8
- (no CPE)range: < 2.19.4-r9
- (no CPE)range: < 3.153.0-r0
- (no CPE)range: < 3.153.0-r0
- (no CPE)range: < 2.19.4-r8
- (no CPE)range: >= 1.10.0, < 1.26.0
- Range: >= 1.10.0, < 1.26.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-345p-7cg4-v4c7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25536ghsaADVISORY
- github.com/modelcontextprotocol/typescript-sdk/issues/204ghsax_refsource_MISCWEB
- github.com/modelcontextprotocol/typescript-sdk/issues/243ghsax_refsource_MISCWEB
- github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.