CVE-2026-25905 MEDIUM

CVE-2026-25905: Lack of isolation in mcp-run-python leads to MCP server takeover

Weakness CWE-653

Published February 9, 2026

Last update February 9, 2026

View on NVD All CVEs

CVSS base score

5.8/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

Description

The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Note - the "mcp-run-python" project is archived and unlikely to receive a fix.

Key dates

Disclosure timeline

February 9, 2026 CVE published

February 9, 2026 Record updated