GHSA-G53W-W6MJ-HRPP

Vulnerability from github – Published: 2026-05-19 19:42 – Updated: 2026-05-19 19:42
VLAI
Summary
MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin "router-key" / "mcp-init-host" path
Details

Summary

The MCP router (ext_proc) exposes an initialize-method code path that, when a request carries an mcp-init-host header, bypasses the gateway JWT session validator and rewrites the upstream :authority header to whatever the caller chooses, gated only by a single shared header value (router-key). The shared value is

  • a literal string (secret-api-key) baked into cmd/mcp-broker-router/main.go as a fall-back default, and
  • in controller-managed deployments, a SHA-256 truncation of the MCPGatewayExtension UID — a non-secret value visible to anyone with get permission on the resource, and additionally exposed in argv because it is passed to the broker-router container via --mcp-router-key=....

A request that satisfies the trivial header check is forwarded to any backend listener registered with the gateway (including external services such as api.githubcopilot.com when configured), bypassing both the broker (where the signed x-mcp-authorized capability filter is enforced) and the gateway's JWT-based session model.

Severity
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/Kuadrant/mcp-gateway"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-346",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T19:42:46Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n \nThe MCP router (ext_proc) exposes an `initialize`-method code path that, when a\nrequest carries an `mcp-init-host` header, bypasses the gateway JWT session\nvalidator and rewrites the upstream `:authority` header to whatever the caller\nchooses, gated only by a single shared header value (`router-key`). The shared\nvalue is\n\n* a literal string (`secret-api-key`) baked into `cmd/mcp-broker-router/main.go`\n  as a fall-back default, and\n* in controller-managed deployments, a SHA-256 truncation of the\n  `MCPGatewayExtension` UID \u2014 a non-secret value visible to anyone with `get`\n  permission on the resource, and additionally exposed in `argv` because it is\n  passed to the broker-router container via `--mcp-router-key=...`.\n\nA request that satisfies the trivial header check is forwarded to any backend\nlistener registered with the gateway (including external services such as\n`api.githubcopilot.com` when configured), bypassing both the broker (where the\nsigned `x-mcp-authorized` capability filter is enforced) and the gateway\u0027s\nJWT-based session model.",
  "id": "GHSA-g53w-w6mj-hrpp",
  "modified": "2026-05-19T19:42:46Z",
  "published": "2026-05-19T19:42:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Kuadrant/mcp-gateway/security/advisories/GHSA-g53w-w6mj-hrpp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Kuadrant/mcp-gateway"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin \"router-key\" / \"mcp-init-host\" path"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.