CVE-2026-55605
Deferred Deferred - Pending Action

Unauthenticated Remote Code Execution in DeepSeek MCP Server

Vulnerability report for CVE-2026-55605, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.8.0, the self-hosted HTTP transport of `@arikusi/deepseek-mcp-server` exposes `POST /mcp` without any authentication: `createMcpExpressApp` is called without an `authProvider` and no middleware guards the route, so any network-reachable client can issue an unauthenticated `initialize` request and obtain a valid MCP session identifier. In reproduced testing against commit `5e1302171e99`, an unauthenticated client was able to initialize a session, enumerate tools, and invoke the local `deepseek_sessions` tool with no credentials. The same unauthenticated session also exposes `deepseek_chat`, whose handler uses the server-side `DEEPSEEK_API_KEY` when self-hosted deployments configure one. This issue applies to self-hosted HTTP mode, not the separately documented hosted BYOK endpoint in `README.md`, which expects an `Authorization: Bearer ...` header. Upstream self-hosted container assets enable HTTP mode by default (`Dockerfile`) and publish port `3000` (`docker-compose.yml`). Version 1.8.0 contains a patch for this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
arikusi deepseek_mcp_server to 1.8.0 (exc)
arikusi deepseek_mcp_server 1.8.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in DeepSeek MCP Server versions starting from 1.4.2 up to but not including 1.8.0. The self-hosted HTTP transport exposes the POST /mcp endpoint without any authentication because the server is configured without an authProvider and lacks middleware to guard this route.

As a result, any client that can reach the network can send an unauthenticated initialize request to obtain a valid MCP session identifier. This allows the client to enumerate tools and invoke local tools such as deepseek_sessions without credentials.

Additionally, the unauthenticated session exposes deepseek_chat, which uses the server-side DEEPSEEK_API_KEY if configured, potentially exposing sensitive API key usage.

This issue only affects the self-hosted HTTP mode and not the hosted BYOK endpoint, which requires authorization headers. The vulnerability was patched in version 1.8.0.

Compliance Impact

The vulnerability allows unauthenticated network clients to initialize sessions and invoke tools without credentials, potentially exposing internal server functionality and data.

While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability for unauthenticated access could lead to unauthorized data access or manipulation, which may violate data protection and privacy requirements under these regulations.

Organizations using affected versions of DeepSeek MCP Server should consider this vulnerability a risk to compliance frameworks that require strict access controls and data confidentiality.

Impact Analysis

This vulnerability allows an unauthenticated attacker to initialize a session and interact with the DeepSeek MCP Server without any credentials.

An attacker can enumerate available tools and invoke local tools such as deepseek_sessions, potentially gaining unauthorized access to server functionality.

The exposure of deepseek_chat functionality using the server-side API key could lead to unauthorized use of the API key, which might result in further compromise or misuse of services tied to that key.

Overall, this could lead to unauthorized access, potential data exposure, and misuse of server capabilities.

Detection Guidance

This vulnerability can be detected by checking if the DeepSeek MCP Server is running a vulnerable version (starting in 1.4.2 and prior to 1.8.0) and if the HTTP transport exposes the unauthenticated POST /mcp endpoint.

You can attempt to detect the vulnerability by sending an unauthenticated POST request to the /mcp endpoint on port 3000 (default exposed port) and observing if a valid MCP session identifier is returned.

Example command using curl to test the endpoint:

  • curl -X POST http://<target-ip>:3000/mcp -d '{"action":"initialize"}' -H 'Content-Type: application/json'

If the response includes a valid session identifier without authentication, the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade the DeepSeek MCP Server to version 1.8.0 or later, where this issue is patched.

Alternatively, if upgrading is not immediately possible, restrict network access to the server's port 3000 to trusted clients only, preventing unauthenticated external access.

Additionally, review and implement authentication middleware for the POST /mcp endpoint to prevent unauthenticated session initialization.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55605. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart