Session Management Flaw in DeepSeek MCP Server Affects Multiple Versions
CVE-2026-55604
8.6HIGH
What is CVE-2026-55604?
The DeepSeek MCP Server, prevalent from version 1.4.2 up to 1.7.0, suffers from a serious flaw where the SessionStore freely accepts unverified session_id values. This loophole enables attackers to enumerate valid session IDs through the deepseek_sessions endpoint. By exploiting this vulnerability, an attacker can hijack an ongoing conversation by injecting a previously captured session ID into the deepseek_chat interface, thereby gaining unauthorized access to a victim’s interaction without any form of authentication. Version 1.7.0 has been updated to address this issue.
Affected Version(s)
deepseek-mcp-server >= 1.4.2, < 1.7.0
