Jul 9, 2026·6 min read·3 visits
Gittensory failed to validate contributor access permissions on its profile REST endpoint and Model Context Protocol tool, exposing cryptographic hotkeys and financial metrics to any authenticated user.
An insecure direct object reference (IDOR) and missing authorization validation check in the Gittensory REST API and Model Context Protocol (MCP) server allowed authenticated users to query arbitrary miner profiles, exposing sensitive cryptographic hotkeys and daily financial/economic yields.
Gittensory serves as a control plane and Model Context Protocol (MCP) tooling ecosystem designed for Gittensor open-source software contributors. The platform exposes both standard HTTP REST endpoints and specialized Model Context Protocol interfaces. These pathways allow automated agents, Large Language Models (LLMs), and developers to query and manage mining profiles, repository statistics, and network contributions.
The attack surface includes the public-facing REST API routes and the corresponding MCP tools configured within the daemon. Specifically, the REST route GET /v1/contributors/:login/profile and the MCP tool gittensory_get_contributor_profile did not implement proper resource validation checks. This left the user profile data exposed to direct queries from any authenticated account, regardless of the account's authorization tier or ownership relations.
The vulnerability is classified under CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key). Because the application retrieves database snapshots that bundle cryptographic identity keys and financial yield indices, an authenticated user could systematically scrape the network. This resulted in unauthorized cross-user extraction of private miner metadata, impacting confidentiality across the deployment.
The root cause of this vulnerability lies in the complete omission of the authorization guard requireContributorAccess on the profile retrieval pathways. Gittensory uses a role-based access validation function to verify if the client making an API request possesses the credentials needed to access a targeted resource. All sibling endpoints under the /v1/contributors/:login/ prefix strictly invoke this validation before completing queries.
In the REST layer implemented in src/api/routes.ts, the router extracted the :login parameter from the HTTP request and immediately invoked the internal database queries. Because the validation check was never called, any valid session identifier or API token was accepted as sufficient authorization to fetch the associated record. The application proceeded to serialize the database snapshot and return it to the client.
The Model Context Protocol server in src/mcp/server.ts suffered from an identical omission. The tool executor for gittensory_get_contributor_profile mapped inputs directly to the internal function getContributorProfile(login). The server failed to verify the caller's permissions relative to the targeted login parameter, resolving queries for any miner handle in the database.
In the vulnerable codebase, the REST route lacked validation logic, as shown in the following code block:
// VULNERABLE
app.get("/v1/contributors/:login/profile", async (c) => {
const login = c.req.param("login");
const [github, pullRequests, issues, cachedRepoStats, gittensorSnapshot] = await Promise.all([
fetchPublicContributorProfile(login),
listContributorPullRequests(c.env, login),
// ... other data fetches
]);
// Returns raw database snapshot containing hotkey and financial metricsThe patch applied by the developer in commit 811ef5fb9d748170011f8854d88c64627ad666a0 introduces the requireContributorAccess validation check at the start of the execution block. If unauthorized, the route returns an error immediately, halting further queries:
// PATCHED
app.get("/v1/contributors/:login/profile", async (c) => {
const login = c.req.param("login");
// Validation guard inserted here
const unauthorized = await requireContributorAccess(c, login);
if (unauthorized) return unauthorized;
const [github, pullRequests, issues, cachedRepoStats, gittensorSnapshot] = await Promise.all([
fetchPublicContributorProfile(login),
listContributorPullRequests(c.env, login),
// ... other data fetches
]);Additionally, the developer implemented defense-in-depth measures in src/mcp/server.ts to redact sensitive fields. Even if authorization checks fail, the sanitization helper redactSensitiveForMcp was expanded using a regular expression filter to strip daily financial yield variables, preventing exposure in subsequent outputs:
// PATCHED
function redactSensitiveForMcp(value: unknown): unknown {
if (!value || typeof value !== "object") return value;
return Object.fromEntries(
Object.entries(value as Record<string, unknown>)
// Added alphaPerDay, taoPerDay, and usdPerDay to the regex filter
.filter(([key]) => !/hotkey|coldkey|wallet|private_key|privateKey|mnemonic|alphaPerDay|taoPerDay|usdPerDay/i.test(key))
.map(([key, entry]) => [key, redactSensitiveForMcp(entry)]),
);
}This multi-layered fix is robust. The explicit endpoint check blocks the execution path entirely, while the updated regex-based redaction prevents accidental field exposure in downstream Large Language Model interactions.
Exploitation of this vulnerability requires only basic authentication to the Gittensory platform. An attacker with a valid low-level session token can issue crafted requests targeting other users.
To exploit the REST endpoint, the attacker identifies a target miner's username, such as victim_miner. They then transmit an HTTP GET request to the profile endpoint with their own authenticated session header:
curl -H "Authorization: Bearer attacker_token" \
https://gittensory.aethereal.dev/v1/contributors/victim_miner/profileBecause the system skips access checks, the API responds with a JSON payload that contains the unredacted Gittensor snapshot. This payload exposes private fields containing cryptographic keys and precise yield metrics:
{
"login": "victim_miner",
"gittensorSnapshot": {
"uid": 142,
"hotkey": "5FHotkeySecretValue_Extracted_Here",
"alphaPerDay": 45.12,
"taoPerDay": 0.15,
"usdPerDay": 56.40
}
}To exploit the Model Context Protocol interface, an attacker issues a JSON-RPC request to the tool pipeline. If the attacker configures an LLM agent with an active MCP session, they can direct the agent to query the vulnerable tool using the target's username:
{
"jsonrpc": "2.0",
"id": "exploit-mcp",
"method": "tools/call",
"params": {
"name": "gittensory_get_contributor_profile",
"arguments": {
"login": "victim_miner"
}
}
}Prior to the patch, this request successfully returned the full database record of the target contributor directly to the calling agent.
The impact of this vulnerability is high due to the sensitivity of the exposed fields. The leaked JSON records contain cryptographic hotkey values. In Gittensor networks, hotkeys identify specific mining nodes and validate transaction signatures. Leakage of hotkey identities allows attackers to map network infrastructure and profile target nodes for secondary attacks.
In addition to cryptographic identity keys, the endpoints leaked real-time financial performance indicators, including alphaPerDay, taoPerDay, and usdPerDay. These indicators represent the daily token and currency yields generated by individual miners. Access to these metrics allows competitors to map operational strategies, locate high-yield mining nodes, and perform targeted resource harvesting.
The CVSS v3.1 score is calculated as 6.5 (Medium/High). The score reflects a Network attack vector (AV:N), low attack complexity (AC:L), and low required privileges (PR:L). No user interaction (UI:N) is required. The impact is limited to confidentiality (C:H) with no direct integrity or availability compromise (I:N/A:N).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
Gittensory JSONbored | < Commit 811ef5fb9d748170011f8854d88c64627ad666a0 | Commit 811ef5fb9d748170011f8854d88c64627ad666a0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-284 / CWE-639 |
| Attack Vector | Network |
| CVSS v3.1 Score | 6.5 |
| EPSS Score | Not Applicable (No CVE Assigned) |
| Impact | Confidentiality Leak (Cryptographic Hotkeys and Yield Data) |
| Exploit Status | PoC Available in Test Suite |
| KEV Status | Not Listed |
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
GHSA-52vm-mxx8-f227 is a dual-vector security flaw in phantom-audio (<= 1.3.0). The vulnerability allows arbitrary file writes due to unconfined Model Context Protocol (MCP) tool paths when the PHANTOM_OUTPUT_DIR environment variable is not defined. Concurrently, the platform lacks validation controls during the decompression of highly compressed audio files, resulting in resource-exhaustion denial of service and downstream parsing vulnerability exposure.
An authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.
CVE-2026-56382 is a high-severity remote code execution vulnerability in Craft CMS versions 5.5.0 through 5.9.13. The vulnerability exists within the FieldsController::actionRenderCardPreview() method due to a lack of sanitization of the user-supplied fieldLayoutConfig configuration array, permitting authenticated administrators to register arbitrary PHP callbacks using Yii2 event handler injection mechanisms. This issue has been fully remediated in version 5.9.14.
Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.
CVE-2026-49471 is a high-severity security vulnerability in Serena, an AI-assisted coding Model Context Protocol (MCP) toolkit. In versions prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a predictable port. Lacking host validation and CSRF protections, this endpoint is vulnerable to DNS Rebinding. An attacker can lure a user to a malicious webpage, bypass the Same-Origin Policy (SOP), rewrite the AI agent's persistent memory, and execute arbitrary commands on the host operating system via the autonomous agent's shell execution engine.
The trapster honeypot package is vulnerable to a remote denial of service (DoS) vulnerability due to uncontrolled recursion during the parsing of malformed DNS compression pointers in the decode_labels function.