← The Wire

Public story · 2026-07-01 · high

The official MCP TypeScript SDK leaked data across clients

The bug lives in server code, not any single app, so builders who copied the SDK's default pattern pass the exposure to their own users.

Why now: This matters now because the shared-instance setup it flags is already common in production, not a rare misconfiguration.

Confidence
high
Sources
1
Redaction
passed

Story

CVE-2026-25536 hit the SDK when a single McpServer instance served multiple clients, per Practical DevSecOps. The bug scores 7.1 on CVSS and covers SDK versions 1.10.0 through 1.25.3.

Reusing one server instance across multiple clients isn't a fringe setup. It's already the default for shared and remote MCP deployments running in production.

That makes this a framework bug, not a downstream-app bug. Any MCP server built on that SDK range exposes its own users to a default its builder didn't choose. The users of that server pay for a decision they never made.

Upgrading past 1.25.3 stops the SDK's bug. It doesn't check whether your own server still assumes one instance per client somewhere else in the stack, so the audit is on you.

A CVSS score on a dependency says the library stopped being the guaranteed cause. It doesn't say a specific deployment stopped leaking. Patched isn't the same as safe.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Same source / Shared topic

    mcp-pinot exposes SQL tools with no login required

    Both cover CVE, CVSS, MCP, Practical DevSecOps; cite the same source (Practical DevSecOps); overlapping topics (cvss, server).

  2. Shared entities / Same source

    MCPJam and nginx-ui Ship 9.8 RCE Bugs

    Both cover CVE, MCP, Practical DevSecOps; cite the same source (Practical DevSecOps).

  3. Shared entities / Shared topic / Earlier coverage

    CVE-2026-33010: Any Website Can Read and Delete Your Agent's Memories

    Both cover CVE, CVSS, MCP; overlapping topics (audit, cvss, deployment); earlier CVE coverage from 2026-03-21.

  4. CVE-2026-26118: First MCP Server Infrastructure CVE.

    Both cover CVE, CVSS, MCP; overlapping topics (cvss, leak, server); earlier CVE coverage from 2026-03-12.

  5. Shared entities / Same source domain / Earlier coverage

    OX Security found a systemic RCE baked into Anthropic's official MCP SDKs, every language

    Both cover MCP, Practical DevSecOps, SDK; reported by the same outlet (practical-devsecops.com); earlier MCP coverage from 2026-06-15.

  6. Shared entities / Shared topic / Earlier coverage

    CVE-2026-46519: access-control bypass in mcp-server-kubernetes, CVSS 8.8, patched in 3.6.0.

    Both cover CVE, CVSS, MCP; overlapping topics (client, cvss); earlier CVE coverage from 2026-06-12.

  7. MCP Security Debt Hits Critical Mass: 30+ CVEs in 60 Days, PraisonAI CVSS 10, Azure AI Foundry CVSS 10

    Both cover CVE, CVSS, MCP; overlapping topics (cvss, framework); earlier CVE coverage from 2026-04-04.

  8. CVE-2026-27825: CVSS 10.0 Unauthenticated RCE in mcp-atlassian MCP Server

    Both cover CVE, CVSS, MCP; overlapping topics (cvss, server); earlier CVE coverage from 2026-03-20.

Source trail

Entities

Claim evidence

  1. The official MCP TypeScript SDK leaked data across clients

Provenance

Canonical issue
2026-07-01
AI generated
yes
Story unit
2026-07-01-cross-client-data-leak-in-the-official-mcp-typescript-sdk-versions-1-10-0-through-1-25-3
Labels
source-backed, canonical briefing excerpt