5 matches found
Exploit for Missing Authentication for Critical Function in Mcpjam Inspector
CVE-2026-23744 — MCPJam Unauthenticated Remote Code Execution...
GHSA-VW82-7FV8-R6GP Obot has an authorization bypass in /mcp-connect/{id} that allows any authenticated user to use any registered MCP server
Summary If you have the MCP Server ID, you can connect to the MCP server even if you don't have permissions to the server. The MCP gateway endpoint /mcp-connect/mcpid does not enforce Access Control Rules ACRs. Any authenticated Obot user who possesses an MCP Server ID can connect to that server...
Obot has an authorization bypass in /mcp-connect/{id} that allows any authenticated user to use any registered MCP server
Summary If you have the MCP Server ID, you can connect to the MCP server even if you don't have permissions to the server. The MCP gateway endpoint /mcp-connect/mcpid does not enforce Access Control Rules ACRs. Any authenticated Obot user who possesses an MCP Server ID can connect to that server...
Exploit for Missing Authentication for Critical Function in Mcpjam Inspector
CVE-2026-23744 — MCP Connect RCE via Unauthenticated Command I...
GHSA-WVR4-3WQ4-GPC5 MCP Connect has unauthenticated remote OS command execution via /bridge endpoint
Summary When AUTHTOKEN and ACCESSTOKEN environment variables are not set which is the default out-of-the-box configuration the /bridge HTTP endpoint is completely unauthenticated. Any network-accessible caller can POST a request with an attacker-controlled serverPath and args payload, causing the...