A First Measurement Study on Authentication Security in Real-World Remote MCP Servers

The Model Context Protocol MCP is emerging as a common interface connecting large language models LLMs with external services. Remote deployments are becoming increasingly important as agents connect to user-linked online services, such as social, productivity, and financial services. In such...

Authlib: Cross-site request forging when using cache

Summary There is no CSRF protection on the cache feature on most integrations clients. Details In authlib.integrations.starletteclient.OAuth, no CSRF protection is set up when using the cache parameter. When not using the cache parameter, the use of SessionMiddleware ties the client to the auth...

CVE-2026-40575

creationtimestamp| type| source ---|---|--- 2026-04-16 11:06:42+00:00| seen| https://ccb.belgium.be/advisories/warning-critical-authentication-bypass-oauth2-can-lead-unauthorized-data-access-patch 2026-04-22 01:19:23+00:00| seen| Telegram/LUR06ONloRlViUIW27ojzHZG9BE33b4Dag-8VffcgXgN8 2026-04-22...

Use of GET Request Method With Sensitive Query Strings

Overview Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings in the OAuth provider callback flow. An attacker can gain unauthorized access to sensitive information by intercepting refresh tokens exposed in URL query parameters through browser...

PT-2026-26609

Name of the Vulnerable Software and Affected Versions versions prior to 2026-31381 Description An attacker can extract user email addresses PII exposed in base64 encoding via the state parameter in the OAuth callback URL. The vulnerability involves the exposure of Personally Identifiable...

CVE-2026-27962

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...

EUVD-2025-208759

FastMCP OAuth Proxy token reuse across MCP servers...

CVE-2026-31944

LibreChat’s breach involves the MCP OAuth callback endpoint incorrectly accepting redirects without verifying the user session or initiator. From versions 0.8.2 through 0.8.2-rc3, an attacker can lure a victim to complete the OAuth flow, causing the victim’s OAuth tokens to be stored on the attac...

PT-2026-25054

Impact Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's...

CVE-2026-28477

OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token...

OAuth redirection abuse enables phishing and malware delivery

Microsoft observed phishing-led exploitation of OAuth’s by-design redirection mechanisms. The activity targets government and public-sector organizations and uses silent OAuth authentication flows and intentionally invalid scopes to redirect victims to attacker-controlled infrastructure without...

PT-2026-23552

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 Description The manual Chutes OAuth login flow in OpenClaw is susceptible to a bypass of OAuth CSRF state validation. This allows an attacker to bypass CSRF protection by convincing a user to paste...

GO-2026-4463 Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations in github.com/mattermost/mattermost-server

Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

sigstore-python Cross-Site Request Forgery Vulnerability

sigstore-python is an open-source tool developed by sigstore for generating and verifying Sigstore signatures in Python. Versions of sigstore-python prior to 4.2.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the OAuth authentication process’s...

PT-2025-50819

The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtool login google function. This makes it...

CVE-2025-12419

Mattermost contains an OAuth/OpenID Connect validation flaw where OAuth state tokens are not properly validated during authentication, enabling an authenticated attacker with team-creation privileges to take over a user account by manipulating data in the OAuth completion flow. The issue affects ...

CVE-2025-64521

CVE-2025-64521 affects authentik, an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, authenticating to an OAuth provider with client_id/client_secret could create a service account for the provider, and that account could be used even if deactivated. The issue was fixed i...

MAL-2025-145723 Malicious code in oauth-blitz-nestjs-pipe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 616d1f18d44df442a0d86e3b0b3818a450265f6527b0f215fa5517c7ecb24ebc This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

CVE-2025-61591 Cursor CLI's Cursor Agent MCP OAuth2 Communication is Vulnerable to Remote Code Execution

Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication with an untrusted MCP server, an attacker can impersonate a malicious MCP server and return crafted, maliciously injected commands during the interaction process, leading to comman...

PT-2025-40536

Name of the Vulnerable Software and Affected Versions Cursor versions 1.7 and earlier Description Cursor, a code editor for programming with AI, has an issue where, when using OAuth authentication with an untrusted MCP server, an attacker can impersonate a malicious server and inject commands. Th...