Ruby SSE Session Poisoning
Published: July 07, 2026
SECURITY IDENTIFIERS
- GHSA: GHSA-5p9g-j988-pcwv
- Vendor Advisory: https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-5p9g-j988-pcwv
GEM
PATCHED VERSIONS
>= 0.23.0
DESCRIPTION
Summary
Vulnerability: Missing Session Ownership Validation in the Ruby MCP SDK's Streamable and SSE HTTP transport implementation. Any attacker with a stolen session ID can execute tools with the victim's session. This is a silent attack - the victim's session is compromised and being used for unauthorized actions, but it is hard to know for the victim.
