SCA: security update for mcp (GHSA-jpw9-pfvf-9f58)

high Tenable Cloud Security Plugin ID 444805

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP).
Prior to 1.27.2, the SSE and stateful Streamable HTTP transports mcp.server.sse.SseServerTransport and
mcp.server.streamable_http_manager.StreamableHTTPSessionManager route requests to existing sessions using
only the session_id query parameter or Mcp-Session-Id header without verifying the authenticated principal
that created the session, allowing a different bearer-token-authenticated client with a known session ID
to inject JSON-RPC messages into that session. This issue is fixed in version 1.27.2. (CVE-2026-52869)

Solution

Update the mcp library and its related packages to version 1.27.2 or later.

See Also

https://github.com/advisories/GHSA-jpw9-pfvf-9f58

Plugin Details

Severity: High

ID: 444805

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 7/17/2026

Updated: 7/17/2026

Risk Information

VPR

Risk Factor: Medium

Score: 4.5

Percentile: 57.63

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:P

CVSS Score Source: CVE-2026-52869

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/16/2026

Vulnerability Publication Date: 7/15/2026

Reference Information

CVE: CVE-2026-52869

cwe: CWE-639