{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25536", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T19:59:47.374Z", "datePublished": "2026-02-04T21:29:38.276Z", "dateUpdated": "2026-02-05T20:58:17.103Z"}, "containers": {"cna": {"title": "@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7"}, {"name": "https://github.com/modelcontextprotocol/typescript-sdk/issues/204", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/typescript-sdk/issues/204"}, {"name": "https://github.com/modelcontextprotocol/typescript-sdk/issues/243", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/typescript-sdk/issues/243"}], "affected": [{"vendor": "modelcontextprotocol", "product": "typescript-sdk", "versions": [{"version": ">= 1.10.0, < 1.26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:29:38.276Z"}, "descriptions": [{"lang": "en", "value": "MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0."}], "source": {"advisory": "GHSA-345p-7cg4-v4c7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T20:58:06.900713Z", "id": "CVE-2026-25536", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T20:58:17.103Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25536", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T20:58:06.900713Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T20:58:11.079Z"}}], "cna": {"title": "@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse", "source": {"advisory": "GHSA-345p-7cg4-v4c7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "modelcontextprotocol", "product": "typescript-sdk", "versions": [{"status": "affected", "version": ">= 1.10.0, < 1.26.0"}]}], "references": [{"url": "https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7", "name": "https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/modelcontextprotocol/typescript-sdk/issues/204", "name": "https://github.com/modelcontextprotocol/typescript-sdk/issues/204", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/modelcontextprotocol/typescript-sdk/issues/243", "name": "https://github.com/modelcontextprotocol/typescript-sdk/issues/243", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:29:38.276Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25536", "state": "PUBLISHED", "dateUpdated": "2026-02-05T20:58:17.103Z", "dateReserved": "2026-02-02T19:59:47.374Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T21:29:38.276Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0."}], "id": "CVE-2026-25536", "lastModified": "2026-02-05T14:57:20.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T22:15:59.663", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/modelcontextprotocol/typescript-sdk/issues/204"}, {"source": "security-advisories@github.com", "url": "https://github.com/modelcontextprotocol/typescript-sdk/issues/243"}, {"source": "security-advisories@github.com", "url": "https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "@modelcontextprotocol/sdk: @modelcontextprotocol/sdk cross-client data leak", "id": "2436937", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436937"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-367", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-25536", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-tech-preview/mcp-server-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}], "public_date": "2026-02-04T21:29:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25536\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25536\nhttps://github.com/modelcontextprotocol/typescript-sdk/issues/204\nhttps://github.com/modelcontextprotocol/typescript-sdk/issues/243\nhttps://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7"], "threat_severity": "Important"}