SCA: security update for mcp (GHSA-hvrp-rf83-w775)

high Tenable Self-Hosted Container Security Plugin ID 444797

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP).
From 1.23.0 until 1.27.2, default handlers installed by server.experimental.enable_tasks() for tasks/list,
tasks/get, tasks/result, and tasks/cancel operate only on task identifiers without recording the session
that created each task, allowing any connected client to enumerate, read results from, consume messages
for, or cancel other clients' tasks. This issue is fixed in version 1.27.2. (CVE-2026-52870)

Solution

Update the mcp library and its related packages to version 1.27.2 or later.

See Also

https://github.com/advisories/GHSA-hvrp-rf83-w775

Plugin Details

Severity: High

ID: 444797

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 7/17/2026

Updated: 7/17/2026

Risk Information

VPR

Risk Factor: Low

Score: 3.9

Percentile: 52.82

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:P

CVSS Score Source: CVE-2026-52870

CVSS v3

Risk Factor: High

Base Score: 7.6

Temporal Score: 6.6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/16/2026

Vulnerability Publication Date: 7/15/2026

Reference Information

CVE: CVE-2026-52870

cwe: CWE-862