NVD — MCP TypeScript SDK cross-client data leak (CVE-2026-25536)
AI relevance: MCP servers are the tool gateway for LLM agents; cross-client leaks can expose tool results, files, or API data between tenants.
- CVE-2026-25536 affects
@modelcontextprotocol/sdkversions 1.10.0–1.25.3. - The issue occurs when a single McpServer + transport instance is reused across multiple client connections.
- In stateless StreamableHTTPServerTransport setups, responses can be routed to the wrong client under concurrent load.
- Impact is cross-client data exposure (tool outputs, resource content, error traces).
- Patched in v1.26.0; NVD classifies it as a race condition (CWE-362).
- The advisory links to upstream issues and a GitHub Security Advisory for details and remediation.
Security impact
Cross-client leakage is the nightmare scenario for multi-tenant agent platforms. If one client’s session state bleeds into another’s, you get silent data exfiltration between customers — prompts, tool outputs, internal documents, and credentials can spill across trust boundaries. AI platforms often reuse servers and long-lived processes for efficiency; a subtle SDK-level bug can turn that efficiency into a liability.
This is particularly dangerous when agents are deployed as shared services. A malicious tenant can probe for leakage, and even small cross-tenant artifacts (like tool call history or cached responses) can be enough to reconstruct sensitive internal context. Once a leak occurs, it isn’t a single exploit — it’s a systemic violation of data isolation, which can trigger regulatory exposure (GDPR, SOC 2, HIPAA depending on customer profile).
Mitigation strategy
Patch to the fixed SDK immediately and treat session isolation as a hard security boundary. Add explicit tenant IDs to logs, make session caches per-tenant/per-request, and run tests that simulate concurrent tenants. Consider process-level isolation for high-sensitivity tenants and avoid shared in-memory caches unless they’re keyed and cryptographically scoped.
Why it matters
- MCP deployments often serve multiple tenants; leaked tool outputs can expose credentials, prompts, or internal data.
- Agent systems chain tools together, so a single leak can cascade across downstream actions.
- Cross-tenant data exposure undermines trust boundaries in AI ops pipelines.
What to do
- Upgrade: Move to
@modelcontextprotocol/sdkv1.26.0+. - Isolate clients: Use separate server/transport instances per client connection.
- Monitor: Alert on mismatched request/response IDs or unexpected tool outputs.