CVE-2026-33946 | THREATINT

Description

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch.

PUBLISHED Reserved 2026-03-24 | Published 2026-03-27 | Updated 2026-03-30 | Assigner GitHub_M

HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-384: Session Fixation

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

< 0.9.2

affected

References

github.com/...by-sdk/security/advisories/GHSA-qvqr-5cv7-wh35 exploit

github.com/...by-sdk/security/advisories/GHSA-qvqr-5cv7-wh35

github.com/...ommit/db40143402d65b4fb6923cec42d2d72cb89b3874

hackerone.com/reports/3556146

github.com/.../ModelContextProtocol.AspNetCore/SseHandler.cs

github.com/...extprotocol/go-sdk/blob/main/mcp/streamable.go

github.com/...dk/blob/main/src/mcp/server/streamable_http.py

github.com/...k/blob/main/examples/streamable_http_server.rb

github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2

cve.org (CVE-2026-33946)

nvd.nist.gov (CVE-2026-33946)

Download JSON

help @ threatint.eu