INC-26-0019 confirmed high MCP TypeScript SDK Race Condition Leaks Data Across Client Boundaries (2026)
Anthropic developed and Developers building MCP-based AI tool integrations deployed Model Context Protocol TypeScript SDK (@modelcontextprotocol/sdk), harming Users of MCP-based applications where server instances were shared across clients ; possible contributing factors include misconfigured deployment and insufficient safety testing.
Incident Details
| Date Occurred | 2026-02 |
| Severity | high |
| Evidence Level | primary |
| Impact Level | Sector-wide |
| Domain | Agentic Systems |
| Primary Pattern | PAT-AGT-001 Agent-to-Agent Propagation |
| Regions | north america |
| Sectors | Technology |
| Affected Groups | Developers & AI Builders |
| Exposure Pathways | Infrastructure Dependency |
| Causal Factors | Misconfigured Deployment, Insufficient Safety Testing |
| Assets & Technologies | Autonomous Agents |
| Entities | Anthropic(developer), ·Developers building MCP-based AI tool integrations(deployer) |
| Harm Type | operational |
CVE-2026-25536 (CVSS 7.1) identified a race condition in the Model Context Protocol TypeScript SDK where reusing a single McpServer instance with StreamableHTTPServerTransport across multiple client connections caused responses to leak across client boundaries, exposing one client's data to another.
Incident Summary
CVE-2026-25536, disclosed on February 4, 2026, identified a race condition (CWE-362) in the Model Context Protocol TypeScript SDK versions 1.10.0 through 1.25.3 that caused cross-client data leakage when a single McpServer or Server instance was reused across multiple client connections in stateless StreamableHTTPServerTransport deployments.[1] The vulnerability, scored CVSS 7.1 (High) with attack vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, allowed responses intended for one client to be delivered to a different client sharing the same server instance.[1] Six public proof-of-concept exploits were documented on GitHub, demonstrating practical exploitability.[1] The vulnerability was fixed in version 1.26.0, which enforces proper isolation between client connections.[1][2]
Key Facts
- CVE: CVE-2026-25536, CVSS 7.1 (High)[1]
- Classification: CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization[1]
- Affected versions: @modelcontextprotocol/sdk v1.10.0 through v1.25.3[1]
- Root cause: Race condition when a single McpServer instance with StreamableHTTPServerTransport is shared across multiple concurrent client connections[1]
- Impact: Responses leak across client boundaries — one client receives data intended for another client[1]
- Exploitability: Remotely exploitable; six public proof-of-concept exploits on GitHub[1]
- Related attack patterns: CAPEC-26 (Leveraging Race Conditions) and CAPEC-29 (TOCTOU Race Conditions)[1]
- Fix: Version 1.26.0 released with proper client isolation; organizations advised to use separate transport instances per client connection[1]
Threat Patterns Involved
Primary: Agent-to-Agent Propagation — The vulnerability demonstrates unintended data flow between AI agent clients sharing MCP infrastructure. When multiple AI agents or client applications connect to the same MCP server instance, the race condition causes responses to cross client boundaries, effectively propagating one agent’s context and data to another agent without authorization or awareness.
Significance
- Multi-tenant AI infrastructure risk — The MCP SDK is foundational infrastructure for AI tool integrations across Claude Desktop, Cursor, Windsurf, and custom applications. A race condition at this layer affects every deployment that follows the common pattern of sharing server instances across connections
- Data isolation in agent ecosystems — As AI agents increasingly operate through shared protocol infrastructure, this vulnerability illustrates that traditional web application isolation assumptions (one request, one response) do not automatically hold in agent-to-agent communication layers
- Six public PoC exploits — The availability of multiple proof-of-concept exploits on GitHub before the patch was widely adopted increased the practical risk to production deployments
Timeline
CVE-2026-25536 disclosed — race condition in @modelcontextprotocol/sdk v1.10.0-1.25.3
Fix released in @modelcontextprotocol/sdk v1.26.0
CVE record last modified with updated exploit information
Outcomes
- Recovery:
- Fixed in @modelcontextprotocol/sdk version 1.26.0; recommended separate transport instances per client connection
Use in Retrieval
INC-26-0019 documents MCP TypeScript SDK Race Condition Leaks Data Across Client Boundaries, a high-severity incident classified under the Agentic Systems domain and the Agent-to-Agent Propagation threat pattern (PAT-AGT-001). It occurred in North America (2026-02). This page is maintained by TopAIThreats.com as part of an evidence-based registry of AI-enabled threats. Cite as: TopAIThreats.com, "MCP TypeScript SDK Race Condition Leaks Data Across Client Boundaries," INC-26-0019, last updated 2026-03-29.
Sources
- CVE-2026-25536 — MCP SDK Cross-Client Data Leak (primary, 2026-02-04)
https://cvefeed.io/vuln/detail/CVE-2026-25536 (opens in new tab) - CVE-2026-25536: SDK Cross-Client Data Leak (analysis, 2026-02)
https://vulnerablemcp.info/vuln/cve-2026-25536-sdk-cross-client-data-leak.html (opens in new tab)
Update Log
- — First logged (Status: Confirmed, Evidence: Primary)