Cyber Resilience

CVE-2026-25536

High

Published: 04 February 2026

Published
04 February 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0002 3.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25536 is a high-severity Race Condition (CWE-362) vulnerability in Lfprojects Mcp Typescript Sdk. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-4 (Information in Shared System Resources).

Deeper analysis

CVE-2026-25536 affects the MCP TypeScript SDK, the official TypeScript SDK for Model Context Protocol servers and clients. The vulnerability is a cross-client response data leak occurring from version 1.10.0 to 1.25.3, triggered when a single McpServer/Server and transport instance is reused across multiple client connections. This issue is most commonly observed in stateless StreamableHTTPServerTransport deployments. It has been assigned CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition')) and a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By connecting as a client to the affected server, the attacker can cause response data intended for one client to leak to another, achieving high confidentiality impact (C:H) through unauthorized data exposure across connections, along with low integrity impact (I:L).

The vulnerability has been patched in version 1.26.0 of the MCP TypeScript SDK. Additional details are available in the GitHub security advisory (GHSA-345p-7cg4-v4c7) and related issues #204 and #243 in the modelcontextprotocol/typescript-sdk repository.

EU & UK References

Vulnerability details

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in…

more

stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp, model context protocol

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE enables exploitation of the public-facing MCP HTTP server (StreamableHTTPServerTransport) for cross-client data leakage via the documented race condition.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0621Same product: Lfprojects Mcp Typescript Sdk
CVE-2026-27896Same vendor: Lfprojects
CVE-2025-15031Same vendor: Lfprojects
CVE-2026-2652Same vendor: Lfprojects
CVE-2025-11201Same vendor: Lfprojects
CVE-2025-11200Same vendor: Lfprojects
CVE-2026-33252Same vendor: Lfprojects
CVE-2025-32991Shared CWE-362
CVE-2025-67733Same vendor: Lfprojects
CVE-2026-21864Same vendor: Lfprojects

Affected Assets

lfprojects
mcp typescript sdk
1.10.0 — 1.26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protection of client response data in shared server/transport resources so that information is not accessible to other concurrent client connections.

prevent

Enforces controlled information flow between distinct client sessions, preventing the cross-client response leakage that occurs when a shared McpServer instance is reused.

prevent

Requires the system to enforce access rules that limit each client connection to only its own authorized response data, blocking the unauthorized exposure described in the CVE.

References