Public story · 2026-07-01 · high
The official MCP TypeScript SDK leaked data across clients
The bug lives in server code, not any single app, so builders who copied the SDK's default pattern pass the exposure to their own users.
Why now: This matters now because the shared-instance setup it flags is already common in production, not a rare misconfiguration.
Story
CVE-2026-25536 hit the SDK when a single McpServer instance served multiple clients, per Practical DevSecOps. The bug scores 7.1 on CVSS and covers SDK versions 1.10.0 through 1.25.3.
Reusing one server instance across multiple clients isn't a fringe setup. It's already the default for shared and remote MCP deployments running in production.
That makes this a framework bug, not a downstream-app bug. Any MCP server built on that SDK range exposes its own users to a default its builder didn't choose. The users of that server pay for a decision they never made.
Upgrading past 1.25.3 stops the SDK's bug. It doesn't check whether your own server still assumes one instance per client somewhere else in the stack, so the audit is on you.
A CVSS score on a dependency says the library stopped being the guaranteed cause. It doesn't say a specific deployment stopped leaking. Patched isn't the same as safe.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Same source / Shared topic
mcp-pinot exposes SQL tools with no login required
Both cover CVE, CVSS, MCP, Practical DevSecOps; cite the same source (Practical DevSecOps); overlapping topics (cvss, server).
Shared entities / Same source
MCPJam and nginx-ui Ship 9.8 RCE Bugs
Both cover CVE, MCP, Practical DevSecOps; cite the same source (Practical DevSecOps).
Shared entities / Shared topic / Earlier coverage
CVE-2026-33010: Any Website Can Read and Delete Your Agent's Memories
Both cover CVE, CVSS, MCP; overlapping topics (audit, cvss, deployment); earlier CVE coverage from 2026-03-21.
CVE-2026-26118: First MCP Server Infrastructure CVE.
Both cover CVE, CVSS, MCP; overlapping topics (cvss, leak, server); earlier CVE coverage from 2026-03-12.
Shared entities / Same source domain / Earlier coverage
OX Security found a systemic RCE baked into Anthropic's official MCP SDKs, every language
Both cover MCP, Practical DevSecOps, SDK; reported by the same outlet (practical-devsecops.com); earlier MCP coverage from 2026-06-15.
Shared entities / Shared topic / Earlier coverage
CVE-2026-46519: access-control bypass in mcp-server-kubernetes, CVSS 8.8, patched in 3.6.0.
Both cover CVE, CVSS, MCP; overlapping topics (client, cvss); earlier CVE coverage from 2026-06-12.
MCP Security Debt Hits Critical Mass: 30+ CVEs in 60 Days, PraisonAI CVSS 10, Azure AI Foundry CVSS 10
Both cover CVE, CVSS, MCP; overlapping topics (cvss, framework); earlier CVE coverage from 2026-04-04.
CVE-2026-27825: CVSS 10.0 Unauthenticated RCE in mcp-atlassian MCP Server
Both cover CVE, CVSS, MCP; overlapping topics (cvss, server); earlier CVE coverage from 2026-03-20.
Source trail
Entities
Claim evidence
- The official MCP TypeScript SDK leaked data across clients
Provenance
- Canonical issue
- 2026-07-01
- AI generated
- yes
- Story unit
- 2026-07-01-cross-client-data-leak-in-the-official-mcp-typescript-sdk-versions-1-10-0-through-1-25-3
- Labels
- source-backed, canonical briefing excerpt