Learning CenterArticles
Article None April 17, 2026

CVE-2026-25536: Critical Cross-Client Data Leak in MCP TypeScript SDK Demands Immediate Action

CVE-2026-25536: Critical Cross-Client Data Leak in MCP TypeScript SDK Demands Immediate Action

A critical vulnerability in the Model Context Protocol TypeScript SDK (CVE-2026-25536) exposes a dangerous cross-client response data leak affecting versions 1.10.0 through 1.25.3. When servers or transport layers are reused across multiple connections, responses intended for one client can be leaked to another—creating a severe confidentiality breach in multi-tenant AI agent deployments. The vulnerability is particularly devastating for stateless StreamableHTTPServerTransport configurations, where transport reuse is common for performance optimization.

This vulnerability was disclosed through NVD and patched in SDK version 1.26.0. If your AI agent infrastructure relies on the MCP TypeScript SDK, immediate assessment and patching is non-negotiable. The original research is available at: https://nvd.nist.gov/vuln/detail/CVE-2026-25536

How the Vulnerability Works

The root cause lies in how the MCP TypeScript SDK handles transport layer state when servers or transports are instantiated once and reused across multiple client connections. In typical production deployments, developers often initialize a single StreamableHTTPServerTransport instance to handle multiple concurrent requests—an optimization that reduces connection overhead and improves latency.

However, versions 1.10.0 through 1.25.3 fail to properly isolate response channels between clients. When transport reuse occurs, the internal message routing mechanism can inadvertently direct server responses to the wrong client connection. This manifests as Client A receiving responses intended for Client B, potentially exposing sensitive data, tool execution results, or internal system state.

The stateless StreamableHTTPServerTransport pattern amplifies this risk because it lacks persistent session tracking that might otherwise catch routing mismatches. Each HTTP request is treated independently, but the underlying transport object maintains shared state that bleeds across connection boundaries.

Real-World Impact on AI Agent Deployments

The implications extend far beyond simple data leakage. In production AI agent systems, this vulnerability could expose:

  • User conversation history: One agent's context window leaking to another user's session
  • Tool execution results: Sensitive API responses, database queries, or file operations visible to unauthorized clients
  • Authentication tokens: Session credentials or OAuth tokens crossing tenant boundaries
  • Internal system prompts: System instructions and agent configurations exposed to end users

For multi-tenant SaaS platforms running AI agents, this represents a catastrophic confidentiality failure. Consider a healthcare AI assistant where Patient A's medical queries are routed to Patient B's session, or a financial advisory agent leaking portfolio data between users. The blast radius scales with deployment size—larger agent fleets face proportionally higher exposure.

The vulnerability is particularly insidious because it may not trigger obvious error conditions. Responses appear to succeed from the server's perspective, but data lands in the wrong hands silently. Detection requires careful monitoring of response-to-request correlation, which many deployments lack.

Immediate Defensive Measures

Priority 1: Patch immediately. Upgrade to MCP TypeScript SDK version 1.26.0 or later, which contains the fix for this cross-client leak.

Priority 2: Audit transport instantiation. Review your server initialization code to identify any transport or server reuse patterns:

// VULNERABLE PATTERN - Reusing transport across connections
const transport = new StreamableHTTPServerTransport({
  // ... configuration
});

// This single transport instance shared across all requests
app.post('/mcp', async (req, res) => {
  const server = new Server({ /* config */ });
  await server.connect(transport); // Reusing transport = data leak risk
  // ... handle request
});

Replace with isolated transport instances per connection:

// SAFE PATTERN - Fresh transport per connection
app.post('/mcp', async (req, res) => {
  // Create new transport for each connection
  const transport = new StreamableHTTPServerTransport({
    // ... configuration
  });

  const server = new Server({ /* config */ });
  await server.connect(transport);

  // Properly cleanup after request completes
  res.on('close', () => {
    transport.close();
  });
});

Priority 3: Implement response correlation validation. Add middleware to verify that responses match their originating requests:

// Response validation wrapper
async function validateResponseRouting(requestId: string, response: any): Promise<boolean> {
  // Verify response metadata matches request
  if (response.requestId !== requestId) {
    console.error(`Response routing mismatch: expected ${requestId}, got ${response.requestId}`);
    return false;
  }
  return true;
}

Priority 4: Enable comprehensive logging. Capture request-response pairs with correlation IDs to detect potential leaks in your logs:

// Logging middleware for MCP requests
app.use((req, res, next) => {
  const requestId = crypto.randomUUID();
  req.requestId = requestId;

  console.log(`[${new Date().toISOString()}] MCP Request ${requestId} from ${req.ip}`);

  res.on('finish', () => {
    console.log(`[${new Date().toISOString()}] MCP Response ${requestId} status: ${res.statusCode}`);
  });

  next();
});

Long-Term Architectural Hardening

Beyond immediate patching, consider these architectural improvements to prevent similar vulnerabilities:

  1. Transport per connection pattern: Make transport isolation the default architecture, not an optimization to remove
  2. Response signing: Cryptographically sign responses with request-specific nonces to prevent cross-client substitution
  3. Connection pooling with isolation: If connection reuse is required for performance, implement strict session isolation at the transport layer
  4. Request-response correlation monitoring: Deploy automated checks that alert when response characteristics don't match request patterns
  5. Penetration testing: Regularly test multi-tenant scenarios with synthetic data to catch isolation failures

The MCP ecosystem is maturing rapidly, and this vulnerability highlights the critical importance of transport layer security in agent architectures. As AI agents handle increasingly sensitive data, the attack surface expands beyond traditional application vulnerabilities into the protocol and transport layers themselves.

Key Takeaways

  • CVE-2026-25536 affects MCP TypeScript SDK versions 1.10.0-1.25.3 with severity HIGH
  • Immediate action required: Upgrade to version 1.26.0+ and audit for transport reuse
  • Stateless StreamableHTTPServerTransport deployments face highest risk
  • Cross-client data leaks in AI agents can expose conversations, tool results, and credentials
  • Defense in depth: Patch first, then implement transport isolation and correlation validation

For the complete vulnerability details, refer to the NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-25536

If you've identified this vulnerability in your infrastructure, treat it as a potential data breach incident. Review logs for anomalous response patterns and consider notifying affected users if cross-client data exposure is confirmed.

AgentGuard360

Built for agents and humans. Comprehensive threat scanning, device hardening, and runtime protection. All without data leaving your machine.

Coming Soon
← Back to Learning Center