PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55604 arikusi CVE debrief

CVE-2026-55604 is a high-severity vulnerability in DeepSeek MCP Server, allowing attackers to enumerate and reuse session IDs, potentially leading to sensitive information disclosure. The vulnerability affects DeepSeek MCP Server versions 1.4.2 to 1.6.0 and is patched in version 1.7.0. This vulnerability has a high CVSS score of 8.6 and is considered HIGH severity. Users of affected versions should prioritize patching to mitigate potential risks.

Vendor
arikusi
Product
deepseek-mcp-server
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of DeepSeek MCP Server, especially those using versions 1.4.2 to 1.6.0, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 1.7.0 or later and implementing additional authentication and session management mechanisms. Security teams and operators should review the vulnerability details and assess their exposure.

Technical summary

The process-global `SessionStore` in DeepSeek MCP Server accepts caller-supplied `session_id` values without binding them to any authenticated principal or transport session. An attacker can enumerate active session IDs via `deepseek_sessions`, then reuse a victim-controlled `session_id` in `deepseek_chat` to retrieve and continue the victim's conversation context. This vulnerability can lead to sensitive information disclosure if exploited.

Defensive priority

High

Recommended defensive actions

  • Upgrade to version 1.7.0 or later
  • Implement additional authentication and session management mechanisms
  • Monitor for suspicious activity related to session enumeration and reuse
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-09T22:17:06.247Z and was last modified on 2026-07-10T16:16:33.620Z. The NVD entry is currently 8.6 HIGH. The DeepSeek MCP Server vulnerability allows attackers to enumerate and reuse session IDs, potentially leading to sensitive information disclosure. Evidence is limited, and defenders should verify affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T22:17:06.247Z and has not been modified since then. The NVD entry is currently 8.6 HIGH.