GHSA-6FPF-248C-M7WM

Vulnerability from github – Published: 2026-03-31 23:07 – Updated: 2026-03-31 23:07
VLAI?
Summary
Sliver One-Click Remote Access: Insecure CORS & Unauthenticated MCP Interface
Details

A single click on a malicious link gives an unauthenticated attacker immediate, silent control over every active C2 session or beacon, capable of exfiltrating all collected target data (e.g. SSH keys, ntds.dit) or destroying the entire compromised infrastructure, entirely through the operator's own browser.

Description

The Sliver MCP server runs inside the Sliver Client and binds an unauthenticated HTTP and SSE interface to localhost:8080 by default. The service returns a permissive Access-Control-Allow-Origin: * header on all responses.

Because this server is client-side, the attack surface is distributed across every individual operator in the operation. Any arbitrary website can issue cross-origin requests and interact with the MCP interface via an operator's browser, no credentials required.

If the interface is misconfigured to bind to all interfaces (0.0.0.0), the vulnerability escalates from a client-side CSRF/CORS issue to direct, unauthenticated remote access from any actor on the network.

Exposed Methods

Exploitation grants unauthorized access to the following MCP tools: - list_sessions_and_beacons - fs_ls, fs_pwd, fs_cd - fs_cat - fs_rm, fs_mv, fs_cp, fs_mkdir - fs_chmod, fs_chown

PoC

  1. Start the Sliver client with MCP enabled (default localhost:8080)
  2. Open a browser and load a page containing the Proof of Concept JavaScript.
  3. Observe that the page successfully lists sessions and can issue filesystem commands against live implants, with no authentication

Impact Assessment

Successful exploitation results in total operational compromise. - Direct Infrastructure Exposure: If misconfigured to 0.0.0.0, the C2 framework becomes fully accessible to any actor on the network or internet without requiring operator interaction. - Information Leakage: Complete visibility into active sessions, deployed beacons, and file system structures (list_sessions_and_beacons, fs_ls, fs_pwd). - Arbitrary File Read: Covert exfiltration of any target data (e.g., SSH keys, ntds.dit) through the C2 channel (fs_cat). - Integrity & Availability Loss: Arbitrary deletion or modification of files on compromised targets, leading to potential sabotage or denial of service (fs_rm, fs_mv, fs_cp).

Severity: Critical

Attack Scenarios

Scenario 1: Data Exfiltration via Drive-by Execution (Default Localhost) An operator clicks a link to a benign-looking site hosting malicious JavaScript (e.g. via open redirect). The script executes commands against localhost:8080, retrieves the operator's target list, and silently downloads sensitive files (e.g., a target's ntds.dit) using the operator's existing C2 connections.

Scenario 2: Campaign Neutralization (Default Localhost) A malicious site lures an operator to a controlled domain. Embedded JavaScript immediately issues fs_rm commands across all active implants, mass-deleting beacons and permanently severing operator access to the target network in a single click.

Scenario 3: Direct Takeover (0.0.0.0 Misconfiguration) An operator configures the MCP interface to listen on 0.0.0.0 for team access. An external attacker scans the network, discovers the exposed port, and directly issues unauthenticated API calls to hijack active sessions, drop connections, or exfiltrate data.

Technical Root Cause

The vulnerability stems from an insecure integration with the mcp-go library. While the library hardcodes permissive CORS (Access-Control-Allow-Origin: *), it also fails to validate the Content-Type header. This allows an attacker to use Simple Requests (e.g., text/plain) to bypass the browser's CORS preflight (OPTIONS) check entirely, making the attack highly reliable across all modern browsers without any additional techniques.

Furthermore, the Sliver implementation fails to implement any authentication middleware or origin restrictions to protect the sensitive RPC interface, meaning even if the CORS behavior were corrected upstream in mcp-go, the endpoint would remain fully unauthenticated.

## Demo

https://github.com/user-attachments/assets/b18216c2-2c0b-41a2-aa39-229b3f148c24

Severity ?
5.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/bishopfox/sliver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-942"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:07:48Z",
    "nvd_published_at": "2026-03-31T16:16:32Z",
    "severity": "MODERATE"
  },
  "details": "A single click on a malicious link gives an unauthenticated attacker immediate, silent control over every active C2 session or beacon, capable of exfiltrating all collected target data (e.g. SSH keys, `ntds.dit`) or destroying the entire compromised infrastructure, entirely through the operator\u0027s own browser.\n\n## Description\nThe Sliver MCP server runs inside the Sliver Client and binds an unauthenticated HTTP and SSE interface to `localhost:8080` by default. The service returns a permissive `Access-Control-Allow-Origin: *` header on all responses.\n\nBecause this server is client-side, the attack surface is distributed across every individual operator in the operation. Any arbitrary website can issue cross-origin requests and interact with the MCP interface via an operator\u0027s browser, no credentials required.\n\nIf the interface is misconfigured to bind to all interfaces (`0.0.0.0`), the vulnerability escalates from a client-side CSRF/CORS issue to direct, unauthenticated remote access from any actor on the network.\n\n\n## Exposed Methods\nExploitation grants unauthorized access to the following MCP tools:\n- `list_sessions_and_beacons`\n- `fs_ls`, `fs_pwd`, `fs_cd`\n- `fs_cat`\n- `fs_rm`, `fs_mv`, `fs_cp`, `fs_mkdir`\n- `fs_chmod`, `fs_chown`\n\n## PoC \n1. Start the Sliver client with MCP enabled (default `localhost:8080`)\n2. Open a browser and load a page containing the [Proof of Concept JavaScript](https://github.com/skoveit/CVE-2026-34227).\n3. Observe that the page successfully lists sessions and can issue filesystem commands against live implants, with no authentication\n\n## Impact Assessment\nSuccessful exploitation results in total operational compromise.\n- **Direct Infrastructure Exposure:** If misconfigured to `0.0.0.0`, the C2 framework becomes fully accessible to any actor on the network or internet without requiring operator interaction.\n- **Information Leakage:** Complete visibility into active sessions, deployed beacons, and file system structures (`list_sessions_and_beacons`, `fs_ls`, `fs_pwd`).\n- **Arbitrary File Read:** Covert exfiltration of any target data (e.g., SSH keys, `ntds.dit`) through the C2 channel (`fs_cat`).\n- **Integrity \u0026 Availability Loss:** Arbitrary deletion or modification of files on compromised targets, leading to potential sabotage or denial of service (`fs_rm`, `fs_mv`, `fs_cp`).\n\n**Severity: Critical**\n\n\n\n## Attack Scenarios\n**Scenario 1: Data Exfiltration via Drive-by Execution (Default Localhost)** An operator clicks a link to a benign-looking site hosting malicious JavaScript (e.g. via open redirect). The script executes commands against `localhost:8080`, retrieves the operator\u0027s target list, and silently downloads sensitive files (e.g., a target\u0027s `ntds.dit`) using the operator\u0027s existing C2 connections.\n\n **Scenario 2: Campaign Neutralization (Default Localhost)** A malicious site lures an operator to a controlled domain. Embedded JavaScript immediately issues `fs_rm` commands across all active implants, mass-deleting beacons and permanently severing operator access to the target network in a single click.\n\n **Scenario 3: Direct Takeover (0.0.0.0 Misconfiguration)** An operator configures the MCP interface to listen on `0.0.0.0` for team access. An external attacker scans the network, discovers the exposed port, and directly issues unauthenticated API calls to hijack active sessions, drop connections, or exfiltrate data.\n \n \n## Technical Root Cause\nThe vulnerability stems from an insecure integration with the `mcp-go` library. While the library hardcodes permissive CORS (`Access-Control-Allow-Origin: *`), it also fails to validate the `Content-Type` header. This allows an attacker to use Simple Requests (e.g., `text/plain`) to bypass the browser\u0027s CORS preflight (`OPTIONS`) check entirely, making the attack highly reliable across all modern browsers without any additional techniques.\n\nFurthermore, the Sliver implementation fails to implement any authentication middleware or origin restrictions to protect the sensitive RPC interface, meaning even if the CORS behavior were corrected upstream in `mcp-go`, the endpoint would remain fully unauthenticated.\n\n\n---\n\n ## Demo\n \nhttps://github.com/user-attachments/assets/b18216c2-2c0b-41a2-aa39-229b3f148c24",
  "id": "GHSA-6fpf-248c-m7wm",
  "modified": "2026-03-31T23:07:48Z",
  "published": "2026-03-31T23:07:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-6fpf-248c-m7wm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34227"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/BishopFox/sliver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Sliver One-Click Remote Access: Insecure CORS \u0026 Unauthenticated MCP Interface"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.