CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-55604

highCVSS 8.6covered by 1 sourcefirst seen 2026-07-09
DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global SessionStore accepts caller-supplied session_id values without binding them to any authenticated principal or transport session. An attacker can enumerate active session IDs via deepseek_sessions, then reuse a victim-controlled session_id in deepseek_chat to retrieve and continue the victim's conversation context. Version 1.7.0 contains a patch.

⚡ Watch CVE-2026-55604

Get an email if CVE-2026-55604 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-55604

CVE.org record

Embed the live status

CVE-2026-55604 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-55604 status](https://www.csirts.com/badge/CVE-2026-55604)](https://www.csirts.com/cve/CVE-2026-55604)