Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 10 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 10 Jul 2026 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Arikusi
Arikusi deepseek-mcp-server |
|
| Vendors & Products |
Arikusi
Arikusi deepseek-mcp-server |
Thu, 09 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global `SessionStore` accepts caller-supplied `session_id` values without binding them to any authenticated principal or transport session. An attacker can enumerate active session IDs via `deepseek_sessions`, then reuse a victim-controlled `session_id` in `deepseek_chat` to retrieve and continue the victim's conversation context. Version 1.7.0 contains a patch. | |
| Title | @arikusi/deepseek-mcp-server has an Authorization Bypass Through User-Controlled Key | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-10T14:42:09.579Z
Reserved: 2026-06-16T23:31:22.445Z
Link: CVE-2026-55604
Updated: 2026-07-10T14:39:10.996Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-13T07:00:04Z