Skip to content

Upgrade MCP SDK to latest#28109

Merged
elithrar merged 2 commits intoproductionfrom
sync-docs-pr-848
Feb 6, 2026
Merged

Upgrade MCP SDK to latest#28109
elithrar merged 2 commits intoproductionfrom
sync-docs-pr-848

Conversation

@agents-git-bot
Copy link
Contributor

@agents-git-bot agents-git-bot bot commented Feb 5, 2026
edited
Loading

Summary

This PR documents the breaking changes introduced in MCP SDK 1.26.0, which fixes a critical security vulnerability (CVE) where responses from one client could leak to another client when using shared server or transport instances in stateless MCP servers.

Changes Made

  • Added comprehensive migration guide for MCP SDK 1.26.0
  • Updated all stateless MCP server examples to create new McpServer instances per request
  • Added security vulnerability warning with link to CVE advisory
  • Included before/after code examples showing the correct pattern
  • Added comparison table showing which server types are affected
  • Provided guidance for raw SDK transport users

Breaking Change Details

Who is affected:

  • Stateless servers using createMcpHandler with global McpServer instances
  • Stateless servers using raw SDK transport

Who is NOT affected:

  • Stateful servers using Agent/Durable Object (these create instances per agent already)

Required Action:
Developers must update their code to create new McpServer instances per request instead of sharing a single global instance.

Related

🤖 Generated with Claude Code

@github-actions github-actions bot added product:agents Build and deploy AI-powered Agents on Cloudflare that can act autonomously. size/m labels Feb 5, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 5, 2026

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern Owners
/src/content/docs/agents/ @irvinebroque, @rita3ko, @elithrar, @thomasgauvin, @threepointone, @whoiskatrin, @cloudflare/pcx-technical-writing, @cloudflare/ai-agents

@agents-git-bot
Copy link
Contributor Author

agents-git-bot bot commented Feb 5, 2026

Additional Updates

Pushed additional improvements to the documentation:

  • Added Migration Guide: New section showing developers how to migrate from the insecure pattern (global server instance) to the secure pattern (factory function)
  • Enhanced Security Warnings: Updated the caution callout with a direct link to CVE-2025-27098 for better visibility
  • Improved Explanations: Clarified that the pattern "prevents data leakage between clients" rather than just generic "security vulnerabilities"

The migration guide provides clear before/after examples to help developers update their existing implementations.

@github-actions @claude
Update MCP server examples for SDK 1.26.0 breaking change
6dfdcc4 
MCP SDK 1.26.0 introduces a guard that prevents connecting to a server
instance that has already been connected to a transport. This fixes a
security vulnerability (CVE) where sharing server or transport instances
could leak cross-client response data.

Updated all stateless MCP server examples to create new server instances
per request instead of sharing a single global instance. This affects:
- mcp-handler-api.mdx: Added breaking change notice and updated example
- transport.mdx: Updated both unauthenticated and authenticated examples
- chatgpt-app.mdx: Refactored to use createServer() function pattern

Refs: cloudflare/agents#848

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@agents-git-bot agents-git-bot bot changed the title Sync docs for PR #848: Upgrade MCP SDK to latest Upgrade MCP SDK to latest Feb 5, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 5, 2026
edited
Loading

Preview URL: https://f1f22ff0.preview.developers.cloudflare.com
Preview Branch URL: https://sync-docs-pr-848.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link Updated Link
https://developers.cloudflare.com/agents/model-context-protocol/mcp-handler-api/ https://sync-docs-pr-848.preview.developers.cloudflare.com/agents/model-context-protocol/mcp-handler-api/
https://developers.cloudflare.com/agents/guides/chatgpt-app/ https://sync-docs-pr-848.preview.developers.cloudflare.com/agents/guides/chatgpt-app/
https://developers.cloudflare.com/agents/model-context-protocol/transport/ https://sync-docs-pr-848.preview.developers.cloudflare.com/agents/model-context-protocol/transport/

@github-actions @claude
docs: Add MCP SDK 1.26.0 breaking change migration guide
f1f22ff 
- Add security vulnerability warning and migration guide for MCP SDK 1.26.0
- Update stateless MCP server examples to create new McpServer instances per request
- Document the CVE fix that prevents cross-client response leakage
- Include before/after code examples and comparison table
- Add guidance for raw SDK transport users

Related to cloudflare/agents#848

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@elithrar
Copy link
Collaborator

elithrar commented Feb 6, 2026

/bonk review this. fix any build issues present.

@ask-bonk
Copy link
Contributor

ask-bonk bot commented Feb 6, 2026

Review Summary

No build issues found in this PR. The three changed MDX files compile cleanly through the Astro/Vite build. The only build failure encountered (Object.groupBy is not a function in src/pages/changelog/rss/[area].xml.ts) is a pre-existing issue caused by Node 20 lacking Object.groupBy (requires Node 21+) and is completely unrelated to this PR.

Files reviewed

All three files are clean - no fixes needed:

  1. chatgpt-app.mdx - Correctly wraps global McpServer in a createServer() factory function, both in the step-5 code and the "Key concepts" section. Imports are correct. No issues.

  2. mcp-handler-api.mdx - Adds a :::caution callout about the SDK 1.26.0 breaking change, updates the stateless example to use a factory function, and adds a comprehensive migration guide section with before/after examples and a raw SDK transport example. The TypeScriptExample component wrappers are used correctly. Internal link to #migration-guide-for-mcp-sdk-1260 is a same-page anchor that matches the heading. No issues.

  3. transport.mdx - Updates both the unauthenticated and authenticated examples to use the createServer() factory pattern. No issues.

Internal links verified

All internal links in the changed files resolve to existing pages:

  • /agents/model-context-protocol/mcp-agent-api/
  • /agents/model-context-protocol/authorization/
  • /agents/guides/remote-mcp-server/
  • /agents/model-context-protocol/tools/
  • /agents/api-reference/agents-api/ (resolves to agents-api.mdx)
  • /agents/guides/test-remote-mcp-server/

Content quality

The changes are consistent and correct - every stateless MCP server example across all three files has been updated to use the factory function pattern to avoid the CVE-2025-27098 cross-client response leakage vulnerability.

github run

@elithrar elithrar enabled auto-merge (squash) February 6, 2026 16:51
elithrar
elithrar approved these changes Feb 6, 2026
View reviewed changes
Copy link
Collaborator

@elithrar elithrar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@elithrar elithrar merged commit a6b5773 into production Feb 6, 2026
9 checks passed
@elithrar elithrar deleted the sync-docs-pr-848 branch February 6, 2026 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elithrar elithrar elithrar approved these changes

@irvinebroque irvinebroque Awaiting requested review from irvinebroque irvinebroque is a code owner

@rita3ko rita3ko Awaiting requested review from rita3ko rita3ko is a code owner

@thomasgauvin thomasgauvin Awaiting requested review from thomasgauvin thomasgauvin is a code owner

@threepointone threepointone Awaiting requested review from threepointone threepointone is a code owner

@whoiskatrin whoiskatrin Awaiting requested review from whoiskatrin whoiskatrin is a code owner

Assignees

@elithrar elithrar

@threepointone threepointone

@irvinebroque irvinebroque

@rita3ko rita3ko

@whoiskatrin whoiskatrin

@thomasgauvin thomasgauvin

Labels

product:agents Build and deploy AI-powered Agents on Cloudflare that can act autonomously. size/m

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@elithrar @threepointone @irvinebroque @rita3ko @whoiskatrin @thomasgauvin