5 matches found
CVE-2025-66454
Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can...
Use of Hard-coded Cryptographic Key
Overview arcade-mcp-server is a Model Context Protocol MCP server framework for Arcade.dev Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key via the HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal...
Use of Hard-coded Cryptographic Key
Overview arcade-mcp is an Arcade.dev - Tool Calling platform for Agents Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key via the HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. An...
GHSA-G2JX-37X6-6438 arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints
Summary The arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This...
arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints
Summary The arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This...