CVE-2026-25536: @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.
Security readout for executives and security teams
Plain-English summary
A vulnerable MCP TypeScript SDK deployment can send one client’s response data to another client when server and transport instances are shared across connections. This is primarily a confidentiality issue for MCP services that process sensitive prompts, tool results, or business data. The source bundle says it is fixed in version 1.26.0.
Executive priority
Treat as a high-priority confidentiality fix for AI or automation services using MCP. Upgrade affected SDK versions quickly, then verify deployment patterns. Business urgency is highest where MCP traffic includes confidential customer, employee, security, or operational data.
Technical view
Versions 1.10.0 through 1.25.3 of modelcontextprotocol/typescript-sdk are affected. The flaw is a race/TOCTOU condition involving reused McpServer/Server and transport instances, especially stateless StreamableHTTPServerTransport deployments. CVSS is 7.1, network exploitable, low complexity, requiring low privileges, with high confidentiality and low integrity impact.
Likely exposure
Exposure is most likely in custom MCP servers using @modelcontextprotocol/sdk 1.10.0-1.25.3 and reusing one server or transport instance across multiple client connections. Deployments that create isolated instances per connection may not match the described vulnerable pattern.
Exploitation context
The bundle does not cite active exploitation, and KEV is false. The CVSS vector indicates an authenticated network attacker with low privileges could trigger impact without user interaction. Evidence supports cross-client data leakage, not unauthenticated compromise or code execution.
Researcher notes
The vulnerability is implementation-pattern dependent: the affected SDK range alone is not enough to prove exposure. Focus review on shared mutable server/transport state and concurrent client handling. Sources identify CWE-362 and CWE-367, consistent with race and time-of-check/time-of-use behavior.
Mitigation direction
Upgrade @modelcontextprotocol/sdk to version 1.26.0 or later.
Review vendor advisory for any additional project-specific guidance.
Avoid sharing one McpServer/Server instance across multiple client connections.
Avoid reusing one transport instance across concurrent clients.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-362: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-362 · source CWE mapping
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Time-of-check Time-of-use (TOCTOU) Race Condition represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.