{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33946", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.105Z", "datePublished": "2026-03-27T21:20:07.900Z", "dateUpdated": "2026-03-30T18:42:43.387Z"}, "containers": {"cna": {"title": "MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay", "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "lang": "en", "description": "CWE-384: Session Fixation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35"}, {"name": "https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874"}, {"name": "https://hackerone.com/reports/3556146", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/3556146"}, {"name": "https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97"}, {"name": "https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2"}, {"name": "https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685"}, {"name": "https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb"}, {"name": "https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2"}], "affected": [{"vendor": "modelcontextprotocol", "product": "ruby-sdk", "versions": [{"version": "< 0.9.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:20:07.900Z"}, "descriptions": [{"lang": "en", "value": "MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch."}], "source": {"advisory": "GHSA-qvqr-5cv7-wh35", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:42:40.211983Z", "id": "CVE-2026-33946", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:42:43.387Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33946", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T18:42:40.211983Z"}}}], "references": [{"url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:42:28.737Z"}}], "cna": {"title": "MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay", "source": {"advisory": "GHSA-qvqr-5cv7-wh35", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "modelcontextprotocol", "product": "ruby-sdk", "versions": [{"status": "affected", "version": "< 0.9.2"}]}], "references": [{"url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35", "name": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874", "name": "https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874", "tags": ["x_refsource_MISC"]}, {"url": "https://hackerone.com/reports/3556146", "name": "https://hackerone.com/reports/3556146", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97", "name": "https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2", "name": "https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685", "name": "https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb", "name": "https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2", "name": "https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384: Session Fixation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:20:07.900Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33946", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:42:43.387Z", "dateReserved": "2026-03-24T19:50:52.105Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T21:20:07.900Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:mcp_ruby_sdk:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA740303-1659-4AA5-BF51-441A6D3B8B7C", "versionEndExcluding": "0.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch."}], "id": "CVE-2026-33946", "lastModified": "2026-04-02T15:23:21.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T22:16:21.580", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/3556146"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.9.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "ruby-sdk", "vendor": "modelcontextprotocol"}], "analysis": {"en": {"generated_at": "2026-04-02T16:29:29.510689+00:00", "value": {"mitigation_remediation": ["Upgrade the Model Context Protocol Ruby SDK to version 0.9.2 or later.", "Verify the SDK version in all affected deployments to confirm the patch is applied.", "Review any custom SSE handling code to enforce proper session validation or binding.", "If an upgrade cannot be performed immediately, consider implementing additional server\u2011side checks that require new session identifiers for each SSE connection."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Sent Events stream hijacking via session ID replay"}, "threat_synthesis": {"affected_systems": "The issue impacts installations of the Model Context Protocol Ruby SDK (modelcontextprotocol:ruby-sdk) prior to version 0.9.2. The flaw resides in the streamable_http_transport.rb implementation used by Ruby clients for Server\u2011Sent Events communication with Model Context Protocol servers. No other vendors or programming language SDKs are affected by this specific vulnerability.", "description_and_impact": "The MCP Ruby SDK, employed to interact with Model Context Protocol servers, contains a flaw in its streamable_http_transport.rb component before version 0.9.2. The SDK fails to bind Server\u2011Sent Events streams to a unique, session\u2011specific context. Consequently, an attacker who obtains a valid session identifier can replay that token to the server and establish a connection that the server treats as the victim\u2019s authorized stream. This permits the attacker to hijack the victim\u2019s real\u2011time event feed and intercept all data intended for the legitimate client, resulting in a confidentiality breach. The weakness aligns with CWE\u2011384 (Session Fixation) and CWE\u2011639 (Account or Resource Hijacking).", "risk_and_exploitability": "The CVSS v3 score of 8.2 marks this vulnerability as high severity. While the EPSS score is below 1\u202f%, the exclusion of this flaw from the CISA KEV catalog does not eliminate the possibility of exploitation; an attacker who acquires a session token\u2014through sniffing, phishing, or another side channel\u2014could replay it and hijack an SSE stream. The attack vector is inferred to be session ID replay, requiring the attacker to first capture or otherwise obtain the victim\u2019s session identifier before contacting the server. With the vulnerability residing entirely in the client SDK, services that rely on that SDK for real-time data are at risk of unauthorized data interception."}}}}, "created": "2026-03-29T20:29:43.459561+00:00", "updated": "2026-04-02T20:22:54.215054+00:00", "vendors": ["modelcontextprotocol", "modelcontextprotocol$PRODUCT$ruby-sdk"]}