{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33946", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.105Z", "datePublished": "2026-03-27T21:20:07.900Z", "dateUpdated": "2026-03-30T18:42:43.387Z"}, "containers": {"cna": {"title": "MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay", "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "lang": "en", "description": "CWE-384: Session Fixation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35"}, {"name": "https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874"}, {"name": "https://hackerone.com/reports/3556146", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/3556146"}, {"name": "https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97"}, {"name": "https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2"}, {"name": "https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685"}, {"name": "https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb"}, {"name": "https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2"}], "affected": [{"vendor": "modelcontextprotocol", "product": "ruby-sdk", "versions": [{"version": "< 0.9.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:20:07.900Z"}, "descriptions": [{"lang": "en", "value": "MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch."}], "source": {"advisory": "GHSA-qvqr-5cv7-wh35", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:42:40.211983Z", "id": "CVE-2026-33946", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:42:43.387Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33946", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T18:42:40.211983Z"}}}], "references": [{"url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:42:28.737Z"}}], "cna": {"title": "MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay", "source": {"advisory": "GHSA-qvqr-5cv7-wh35", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "modelcontextprotocol", "product": "ruby-sdk", "versions": [{"status": "affected", "version": "< 0.9.2"}]}], "references": [{"url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35", "name": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874", "name": "https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874", "tags": ["x_refsource_MISC"]}, {"url": "https://hackerone.com/reports/3556146", "name": "https://hackerone.com/reports/3556146", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97", "name": "https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2", "name": "https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685", "name": "https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb", "name": "https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2", "name": "https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384: Session Fixation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:20:07.900Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33946", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:42:43.387Z", "dateReserved": "2026-03-24T19:50:52.105Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T21:20:07.900Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch."}], "id": "CVE-2026-33946", "lastModified": "2026-03-30T19:16:26.213", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T22:16:21.580", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97"}, {"source": "security-advisories@github.com", "url": "https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2"}, {"source": "security-advisories@github.com", "url": "https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685"}, {"source": "security-advisories@github.com", "url": "https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb"}, {"source": "security-advisories@github.com", "url": "https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874"}, {"source": "security-advisories@github.com", "url": "https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35"}, {"source": "security-advisories@github.com", "url": "https://hackerone.com/reports/3556146"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.9.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "ruby-sdk", "vendor": "modelcontextprotocol"}], "analysis": {"en": {"generated_at": "2026-03-28T05:55:32.243428+00:00", "value": {"mitigation_remediation": ["Update the Ruby SDK to version 0.9.2 or later to apply the vendor patch", "Verify that all deployed SDKs run the updated version and that no older releases remain in the environment", "Monitor SDK usage logs for anomalous session ID activity to detect potential replay attempts"], "summary": {"action": "Patch Now", "impact": "Session hijacking of Server-Sent Events streams allowing full interception of real\u2011time data"}, "threat_synthesis": {"affected_systems": "The problem exists in all releases of the Model Context Protocol Ruby SDK before version 0.9.2. Systems that use the streamable_http_transport component and have not applied the v0.9.2 update are affected.", "description_and_impact": "The vulnerability is a classic session hijacking flaw where an attacker who learns a valid session ID can hijack the Server\u2011Sent Events stream used by the Ruby SDK. This allows the attacker to intercept all data sent over the stream, potentially exposing sensitive or confidential information and undermining integrity of the data flow.", "risk_and_exploitability": "With a CVSS score of 8.2 the vulnerability is considered high in severity. The exploit requires possession of a session ID, which may be obtained by an attacker through network eavesdropping, social engineering, or other means. Because session IDs are transmitted over the network, the attack vector is likely remote network. No entry in the KEV catalog has been found, and no EPSS score is available, but given the severity and the need for a valid session ID, the risk remains high enough to warrant immediate attention."}}}}, "created": "2026-03-29T20:29:43.459561+00:00", "updated": "2026-03-30T07:59:17.296402+00:00", "vendors": ["modelcontextprotocol", "modelcontextprotocol$PRODUCT$ruby-sdk"]}