forked from rubysec/ruby-advisory-db
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCVE-2026-33946.yml
More file actions
53 lines (46 loc) · 2.44 KB
/
CVE-2026-33946.yml
File metadata and controls
53 lines (46 loc) · 2.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
---
gem: mcp
cve: 2026-33946
ghsa: qvqr-5cv7-wh35
url: https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35
title: MCP Ruby SDK - Insufficient Session Binding Allows SSE
Stream Hijacking via Session ID Replay
date: 2026-03-27
description: |
### Summary
The Ruby SDK's [streamable_http_transport.rb](https://github.com/modelcontextprotocol/ruby-sdk/blob/main/lib/mcp/server/transports/streamable_http_transport.rb)
implementation contains a session hijacking vulnerability. An attacker
who obtains a valid session ID can completely hijack the victim's
Server-Sent Events (SSE) stream and intercept all real-time data.
### Details
**Root Cause**
The StreamableHTTPTransport implementation stores only one SSE stream
object per session ID and lacks:
- Session-to-user identity binding
- Ownership validation when establishing SSE connections
- Protection against multiple simultaneous connections to the same session
### Impact
While the absence of user binding may not pose immediate risks if
session IDs are not used to store sensitive data or state, the
fundamental purpose of session IDs is to maintain stateful connections.
If the SDK or its consumers utilize session IDs for sensitive operations
without proper user binding controls, this creates a potential security
vulnerability. For example: In the case of the Ruby SDK, the attacker
was able to hijack the stream and receive all the tool responses
belonging to the victim. The tool responses can be sensitive
confidential data.
cvss_v3: 8.2
patched_versions:
- ">= 0.9.2"
related:
url:
- https://www.cve.org/CVERecord?id=CVE-2026-33946
- https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2
- https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35
- https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb
- https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874
- https://hackerone.com/reports/3556146
- https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97
- https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2
- https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685
- https://github.com/advisories/GHSA-qvqr-5cv7-wh35