← The Wire

Public story · 2026-07-01 · high

The official MCP TypeScript SDK leaked data across clients for a year

CVE-2026-25536 shows what happens when you reuse one McpServer instance for multiple clients in a shared MCP deployment.

Why now: The bug sat in the SDK from version 1.10.0 through 1.25.3 before anyone flagged it.

Confidence
high
Sources
1
Redaction
passed

Story

CVE-2026-25536 hit the official MCP TypeScript SDK, versions 1.10.0 through 1.25.3, CVSS 7.1. The bug: if you reuse a single McpServer instance to serve multiple clients, which is a normal pattern for shared or remote MCP deployments, data leaks across those clients. One client's context bleeds into another's.

This isn't a bug in someone's MCP integration. It's in the SDK itself, the thing builders are told to trust by default. If you wrote an MCP server on that version range and you're reusing server instances instead of spinning up a fresh one per client, you've probably got a leak.

I've been watching the MCP security reports pile up this year and the pattern is consistent. It's not one bad actor's tool. It's the plumbing. Two CVSS-9.8 RCE bugs showed up in MCPJam Inspector and nginx-ui. A CVSS-10.0 flaw in mcp-pinot exposed unauthenticated tool invocation because OAuth was off by default. Now the SDK itself. NSA and CISA even put out MCP-specific security design guidance this year, which tells you the protocol grew faster than its safety rails.

What to actually do

If you're running MCP servers on the SDK in that version range, upgrade first. Then go look at how your server handles multiple clients. Don't assume instance reuse is safe just because nothing's broken yet. Silent data leaks don't throw errors, they just quietly hand one user's context to another.

I'd treat this the same way I treat any dependency that touches auth or session boundaries: read the changelog on every MCP SDK bump, not just the ones that mention security. This one didn't announce itself loudly. That's exactly the kind of bug that sits in production for a year.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entity: Practical DevSecOps / Same source

    MCPJam and nginx-ui Ship 9.8 RCE Bugs

    Both cover Practical DevSecOps; cite the same source (Practical DevSecOps).

  2. mcp-pinot exposes SQL tools with no login required

    Both cover Practical DevSecOps; cite the same source (Practical DevSecOps).

  3. The official MCP TypeScript SDK leaked data across clients

    Both cover Practical DevSecOps; cite the same source (Practical DevSecOps).

  4. Shared entity: Practical DevSecOps / Same source domain / Earlier coverage

    OX Security found a systemic RCE baked into Anthropic's official MCP SDKs, every language

    Both cover Practical DevSecOps; reported by the same outlet (practical-devsecops.com); earlier Practical DevSecOps coverage from 2026-06-15.

  5. Shared entity: Practical DevSecOps / Same source domain

    Johns Hopkins Hijacked AI Coding Agents in CI Tests

    Both cover Practical DevSecOps; reported by the same outlet (practical-devsecops.com).

  6. Same source domain

    Re-scan MCP tool descriptions on every server update and reject silent changes.

    Reported by the same outlet (practical-devsecops.com).

  7. Semantically similar

    Cloudflare will let you charge AI agents per request for anything you host

    Covers closely related ground (similarity 0.60).

  8. Meituan open-sources 1.6T coding model built on Chinese chips

    Covers closely related ground (similarity 0.59).

Source trail

Entities

Claim evidence

  1. A vulnerability in the official MCP TypeScript SDK (versions 1.10.0–1.25.3, CVSS 7.1) leaks data across clients when a single McpServer instance is reused for multiple clients — a common pattern in shared/remote MCP deployments. Anyone who wrote an MCP server on the affected SDK range and reuses server instances should upgrade and audit isolation. This is a builder-facing bug, not a downstream-app bug.

Provenance

Canonical issue
2026-07-01
AI generated
yes
Story unit
15333
Labels
source-backed