{
  "threat_severity" : "Important",
  "public_date" : "2026-02-04T21:29:38Z",
  "bugzilla" : {
    "description" : "@modelcontextprotocol/sdk: @modelcontextprotocol/sdk cross-client data leak",
    "id" : "2436937",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2436937"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-367",
  "details" : [ "MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.", "A data leak by way of a race condition has been discovered in the @modelcontextprotocol/sdk npm library. The cross-client response data leak exists when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. When two or more MCP clients send requests concurrently through a shared server instance, JSON-RPC message ID collisions cause responses to be routed to the wrong client's HTTP connection. Client A can receive response data intended for Client B, and vice versa, even when authorization was correctly enforced on each individual request." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2.6",
    "release_date" : "2026-03-06T00:00:00Z",
    "advisory" : "RHSA-2026:3960",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
    "package" : "ansible-automation-platform-tech-preview/mcp-server-rhel9:sha256:40a0e5a857cd2ee1e083849eb5413a3acbc681c28816c4270badeceec5ae7651"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-25536\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25536\nhttps://github.com/modelcontextprotocol/typescript-sdk/issues/204\nhttps://github.com/modelcontextprotocol/typescript-sdk/issues/243\nhttps://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7" ],
  "name" : "CVE-2026-25536",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}