A vulnerability classified as critical has been found in 78 xiaozhi-esp32 up to 2.2.6 . Affected by this issue is the function ParseMessage of the file main/mcp_server.cc of the component MCP Response Handler . This manipulation causes improper synchronization. This vulnerability is registered as CVE-2026-13489 . Remote exploitation of the attack is possible. Furthermore, an exploit is available. The pull request to fix this issue awaits acceptance.