2 matches found
CVE-2026-55604
DeepSeek MCP Server (DeepSeek V4) is vulnerable from v1.4.2 up to, but not including, v1.7.0. The issue stems from a process-global SessionStore that accepts caller-supplied session_id values without binding them to any authenticated principal or transport session. An attacker can enumerate activ...
CVE-2026-55605
Summary: CVE-2026-55605 affects the self-hosted HTTP transport of @arikusi/deepseek-mcp-server used with DeepSeek V4. starting in 1.4.2 and before 1.8.0, the POST /mcp endpoint is exposed without authentication due to createMcpExpressApp being called without an authProvider and missing route guar...