Vulnerability Description
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lfprojects | Mcp Ruby Sdk | < 0.9.2 |
Related Weaknesses (CWE)
References
- https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProPatch
- https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281CPatch
- https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/strePatch
- https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_hPatch
- https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cecPatch
- https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2ProductRelease Notes
- https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5ExploitVendor Advisory
- https://hackerone.com/reports/3556146Permissions Required
- https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5ExploitVendor Advisory
FAQ
What is CVE-2026-33946?
CVE-2026-33946 is a vulnerability with a CVSS score of 5.9 (MEDIUM). MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vu...
How severe is CVE-2026-33946?
CVE-2026-33946 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33946?
Check the references section above for vendor advisories and patch information. Affected products include: Lfprojects Mcp Ruby Sdk.