Session Hijacking Vulnerability in Ruby SDK for Model Context Protocol
CVE-2026-33946

8.2HIGH

Key Information:

Vendor: Modelcontextprotocol
Status: Ruby-sdk
Vendor: CVE Published:; 27 March 2026

🔔 Create Modelcontextprotocol Vulnerability Alert

What is CVE-2026-33946?

The Ruby SDK for Model Context Protocol contains a session hijacking vulnerability in its streamable_http_transport.rb implementation. An attacker who obtains a valid session ID can gain unauthorized access to a victim's Server-Sent Events (SSE) stream, allowing them to intercept all real-time data transmitted over this channel. This issue has been addressed in version 0.9.2, which includes necessary patches to mitigate the risk.