Vulnerability  ·  2026-07-17

MCP Python SDK — Task Handlers Operate Without Session/Ownership Validation (tasks/list, tasks/get, tasks/result, tasks/cancel)

VulnerabilityHigh impactGlobalCVE-2026-52870
The official Model Context Protocol Python SDK's experimental task-management feature failed to bind task operations to the session that created them, letting any connected client query, retrieve results from, or cancel tasks belonging to other clients on a shared MCP server.
The MCP Python SDK is the reference implementation many third-party MCP servers build on; a cross-session task/data leak at the SDK level has ecosystem-wide blast radius across any agentic tool server using the async task feature to process user data.
Default handlers installed by server.experimental.enable_tasks() for tasks/list, tasks/get, tasks/result, and tasks/cancel operate purely on task identifiers without validating the requesting session owns that task, allowing one client to view or cancel another client's async task results.
MCP Python SDK (mcp on PyPI) 1.23.0 – 1.27.2
Upgrade to MCP Python SDK 1.27.2 or later.
NVD CVE-2026-52870
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →