CVE-2026-33946
HIGH
8,2
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
Description
AI Translation Available
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0005
Percentile
0,1th
Updated
EPSS Score Trend (Last 2 Days)
384
Session Fixation
IncompleteCommon Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Gain Privileges Or Assume Identity
Applicable Platforms
Technologies:
Web Based, Web Server
639
Authorization Bypass Through User-Controlled Key
IncompleteCommon Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism
Gain Privileges Or Assume Identity
Applicable Platforms
All platforms may be affected
https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextPr…
https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281…
https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/str…
https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_…
https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923ce…
https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2
https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-…
https://hackerone.com/reports/3556146