The official @modelcontextprotocol/sdk TypeScript package — the primary SDK used to build MCP servers — contains a cross-client response data leak when a single McpServer or Server instance is shared across multiple client connections. This is the default architecture for stateless StreamableHTTPServer deployments, which is how the majority of production MCP servers are configured.
When multiple clients share one server instance, responses intended for one client can be delivered to another — leaking tool outputs, model responses, and any sensitive data those responses contain. Six public proof-of-concept exploits were published on GitHub at the time of disclosure. The vulnerability was fixed in version 1.26.0.
Any multi-tenant or high-availability MCP server running versions 1.10.0 through 1.25.3 is a data boundary breach risk. In practice, this means an agent processing one user's data can expose that data to a concurrent request from a different user — with no error, no log entry, and no indication that the boundary was crossed.
Immediate recommendation: Upgrade @modelcontextprotocol/sdk to 1.26.0 or later. If you cannot upgrade immediately, configure each client connection to use an isolated server instance rather than a shared one.