The MCP Ruby SDK, employed to interact with Model Context Protocol servers, contains a flaw in its streamable_http_transport.rb component before version 0.9.2. The SDK fails to bind Server‑Sent Events streams to a unique, session‑specific context. Consequently, an attacker who obtains a valid session identifier can replay that token to the server and establish a connection that the server treats as the victim’s authorized stream. This permits the attacker to hijack the victim’s real‑time event feed and intercept all data intended for the legitimate client, resulting in a confidentiality breach. The weakness aligns with CWE‑384 (Session Fixation) and CWE‑639 (Account or Resource Hijacking).

The issue impacts installations of the Model Context Protocol Ruby SDK (modelcontextprotocol:ruby-sdk) prior to version 0.9.2. The flaw resides in the streamable_http_transport.rb implementation used by Ruby clients for Server‑Sent Events communication with Model Context Protocol servers. No other vendors or programming language SDKs are affected by this specific vulnerability.

The CVSS v3 score of 8.2 marks this vulnerability as high severity. While the EPSS score is below 1 %, the exclusion of this flaw from the CISA KEV catalog does not eliminate the possibility of exploitation; an attacker who acquires a session token—through sniffing, phishing, or another side channel—could replay it and hijack an SSE stream. The attack vector is inferred to be session ID replay, requiring the attacker to first capture or otherwise obtain the victim’s session identifier before contacting the server. With the vulnerability residing entirely in the client SDK, services that rely on that SDK for real-time data are at risk of unauthorized data interception.