CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-382C-VX95-W3P5

GHSA-382C-VX95-W3P5: Missing Access Control on Profile Endpoint and MCP Tool in Gittensory

Alon Barad
Alon Barad
Software Engineer

Jul 9, 2026·6 min read·3 visits

Executive Summary (TL;DR)

Gittensory failed to validate contributor access permissions on its profile REST endpoint and Model Context Protocol tool, exposing cryptographic hotkeys and financial metrics to any authenticated user.

An insecure direct object reference (IDOR) and missing authorization validation check in the Gittensory REST API and Model Context Protocol (MCP) server allowed authenticated users to query arbitrary miner profiles, exposing sensitive cryptographic hotkeys and daily financial/economic yields.

Vulnerability Overview

Gittensory serves as a control plane and Model Context Protocol (MCP) tooling ecosystem designed for Gittensor open-source software contributors. The platform exposes both standard HTTP REST endpoints and specialized Model Context Protocol interfaces. These pathways allow automated agents, Large Language Models (LLMs), and developers to query and manage mining profiles, repository statistics, and network contributions.

The attack surface includes the public-facing REST API routes and the corresponding MCP tools configured within the daemon. Specifically, the REST route GET /v1/contributors/:login/profile and the MCP tool gittensory_get_contributor_profile did not implement proper resource validation checks. This left the user profile data exposed to direct queries from any authenticated account, regardless of the account's authorization tier or ownership relations.

The vulnerability is classified under CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key). Because the application retrieves database snapshots that bundle cryptographic identity keys and financial yield indices, an authenticated user could systematically scrape the network. This resulted in unauthorized cross-user extraction of private miner metadata, impacting confidentiality across the deployment.

Root Cause Analysis

The root cause of this vulnerability lies in the complete omission of the authorization guard requireContributorAccess on the profile retrieval pathways. Gittensory uses a role-based access validation function to verify if the client making an API request possesses the credentials needed to access a targeted resource. All sibling endpoints under the /v1/contributors/:login/ prefix strictly invoke this validation before completing queries.

In the REST layer implemented in src/api/routes.ts, the router extracted the :login parameter from the HTTP request and immediately invoked the internal database queries. Because the validation check was never called, any valid session identifier or API token was accepted as sufficient authorization to fetch the associated record. The application proceeded to serialize the database snapshot and return it to the client.

The Model Context Protocol server in src/mcp/server.ts suffered from an identical omission. The tool executor for gittensory_get_contributor_profile mapped inputs directly to the internal function getContributorProfile(login). The server failed to verify the caller's permissions relative to the targeted login parameter, resolving queries for any miner handle in the database.

Code Analysis and Fix Verification

In the vulnerable codebase, the REST route lacked validation logic, as shown in the following code block:

// VULNERABLE
app.get("/v1/contributors/:login/profile", async (c) => {
  const login = c.req.param("login");
  const [github, pullRequests, issues, cachedRepoStats, gittensorSnapshot] = await Promise.all([
    fetchPublicContributorProfile(login),
    listContributorPullRequests(c.env, login),
    // ... other data fetches
  ]);
  // Returns raw database snapshot containing hotkey and financial metrics

The patch applied by the developer in commit 811ef5fb9d748170011f8854d88c64627ad666a0 introduces the requireContributorAccess validation check at the start of the execution block. If unauthorized, the route returns an error immediately, halting further queries:

// PATCHED
app.get("/v1/contributors/:login/profile", async (c) => {
  const login = c.req.param("login");
  // Validation guard inserted here
  const unauthorized = await requireContributorAccess(c, login);
  if (unauthorized) return unauthorized;
 
  const [github, pullRequests, issues, cachedRepoStats, gittensorSnapshot] = await Promise.all([
    fetchPublicContributorProfile(login),
    listContributorPullRequests(c.env, login),
    // ... other data fetches
  ]);

Additionally, the developer implemented defense-in-depth measures in src/mcp/server.ts to redact sensitive fields. Even if authorization checks fail, the sanitization helper redactSensitiveForMcp was expanded using a regular expression filter to strip daily financial yield variables, preventing exposure in subsequent outputs:

// PATCHED
function redactSensitiveForMcp(value: unknown): unknown {
  if (!value || typeof value !== "object") return value;
  return Object.fromEntries(
    Object.entries(value as Record<string, unknown>)
      // Added alphaPerDay, taoPerDay, and usdPerDay to the regex filter
      .filter(([key]) => !/hotkey|coldkey|wallet|private_key|privateKey|mnemonic|alphaPerDay|taoPerDay|usdPerDay/i.test(key))
      .map(([key, entry]) => [key, redactSensitiveForMcp(entry)]),
  );
}

This multi-layered fix is robust. The explicit endpoint check blocks the execution path entirely, while the updated regex-based redaction prevents accidental field exposure in downstream Large Language Model interactions.

Exploitation Methodology

Exploitation of this vulnerability requires only basic authentication to the Gittensory platform. An attacker with a valid low-level session token can issue crafted requests targeting other users.

To exploit the REST endpoint, the attacker identifies a target miner's username, such as victim_miner. They then transmit an HTTP GET request to the profile endpoint with their own authenticated session header:

curl -H "Authorization: Bearer attacker_token" \
     https://gittensory.aethereal.dev/v1/contributors/victim_miner/profile

Because the system skips access checks, the API responds with a JSON payload that contains the unredacted Gittensor snapshot. This payload exposes private fields containing cryptographic keys and precise yield metrics:

{
  "login": "victim_miner",
  "gittensorSnapshot": {
    "uid": 142,
    "hotkey": "5FHotkeySecretValue_Extracted_Here",
    "alphaPerDay": 45.12,
    "taoPerDay": 0.15,
    "usdPerDay": 56.40
  }
}

To exploit the Model Context Protocol interface, an attacker issues a JSON-RPC request to the tool pipeline. If the attacker configures an LLM agent with an active MCP session, they can direct the agent to query the vulnerable tool using the target's username:

{
  "jsonrpc": "2.0",
  "id": "exploit-mcp",
  "method": "tools/call",
  "params": {
    "name": "gittensory_get_contributor_profile",
    "arguments": {
      "login": "victim_miner"
    }
  }
}

Prior to the patch, this request successfully returned the full database record of the target contributor directly to the calling agent.

Impact Assessment

The impact of this vulnerability is high due to the sensitivity of the exposed fields. The leaked JSON records contain cryptographic hotkey values. In Gittensor networks, hotkeys identify specific mining nodes and validate transaction signatures. Leakage of hotkey identities allows attackers to map network infrastructure and profile target nodes for secondary attacks.

In addition to cryptographic identity keys, the endpoints leaked real-time financial performance indicators, including alphaPerDay, taoPerDay, and usdPerDay. These indicators represent the daily token and currency yields generated by individual miners. Access to these metrics allows competitors to map operational strategies, locate high-yield mining nodes, and perform targeted resource harvesting.

The CVSS v3.1 score is calculated as 6.5 (Medium/High). The score reflects a Network attack vector (AV:N), low attack complexity (AC:L), and low required privileges (PR:L). No user interaction (UI:N) is required. The impact is limited to confidentiality (C:H) with no direct integrity or availability compromise (I:N/A:N).

Official Patches

JSONboredCommit implementing access control guards and expanding serialization filtering mechanics.

Fix Analysis (1)

Technical Appendix

CVSS Score
6.5/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Systems

Gittensory REST API Server@jsonbored/gittensory-mcp Daemon

Affected Versions Detail

Product
Affected Versions
Fixed Version
Gittensory
JSONbored
< Commit 811ef5fb9d748170011f8854d88c64627ad666a0Commit 811ef5fb9d748170011f8854d88c64627ad666a0
AttributeDetail
CWE IDCWE-284 / CWE-639
Attack VectorNetwork
CVSS v3.1 Score6.5
EPSS ScoreNot Applicable (No CVE Assigned)
ImpactConfidentiality Leak (Cryptographic Hotkeys and Yield Data)
Exploit StatusPoC Available in Test Suite
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1567Exfiltration Over Web Service
Exfiltration
T1020Automated Exfiltration
Exfiltration
T1083File and Directory Discovery
Discovery
T1119Automated Information Discovery
Discovery
CWE-284
Improper Access Control

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Known Exploits & Detection

Regression Test SuiteIntegration and automated security regression test cases verifying access control blocks on the REST router and MCP server.

Vulnerability Timeline

Vulnerability discovered and analyzed
2026-06-02
Patch commit developed, tested, and pushed to main branch
2026-06-02
Advisory published on GitHub Advisory Database (GHSA-382C-VX95-W3P5)
2026-06-02

References & Sources

  • [1]GitHub Advisory: Missing contributor-scoped access control on profile endpoint and MCP tool
  • [2]Gittensory Official Repository
  • [3]Official Patch Commit

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•18 minutes ago•GHSA-52VM-MXX8-F227
7.7

GHSA-52vm-mxx8-f227: Arbitrary File Write and Decompression Denial of Service in phantom-audio

GHSA-52vm-mxx8-f227 is a dual-vector security flaw in phantom-audio (<= 1.3.0). The vulnerability allows arbitrary file writes due to unconfined Model Context Protocol (MCP) tool paths when the PHANTOM_OUTPUT_DIR environment variable is not defined. Concurrently, the platform lacks validation controls during the decompression of highly compressed audio files, resulting in resource-exhaustion denial of service and downstream parsing vulnerability exposure.

Amit Schendel
Amit Schendel
1 views•5 min read
•about 1 hour ago•GHSA-C43V-4CR8-6MVP
6.5

GHSA-C43V-4CR8-6MVP: Authenticated Path Traversal in Craft CMS Asset Icon Helper

An authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.

Alon Barad
Alon Barad
3 views•8 min read
•about 1 hour ago•GHSA-86VW-X4WW-X467
8.6

CVE-2026-56382: Remote Code Execution in Craft CMS via Yii2 Event Handler Injection

CVE-2026-56382 is a high-severity remote code execution vulnerability in Craft CMS versions 5.5.0 through 5.9.13. The vulnerability exists within the FieldsController::actionRenderCardPreview() method due to a lack of sanitization of the user-supplied fieldLayoutConfig configuration array, permitting authenticated administrators to register arbitrary PHP callbacks using Yii2 event handler injection mechanisms. This issue has been fully remediated in version 5.9.14.

Amit Schendel
Amit Schendel
3 views•6 min read
•about 18 hours ago•CVE-2026-53634
4.3

CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller

Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.

Alon Barad
Alon Barad
6 views•5 min read
•about 19 hours ago•CVE-2026-49471
8.3

CVE-2026-49471: Unauthenticated Remote Code Execution in Serena MCP Toolkit via DNS Rebinding and Memory Poisoning

CVE-2026-49471 is a high-severity security vulnerability in Serena, an AI-assisted coding Model Context Protocol (MCP) toolkit. In versions prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a predictable port. Lacking host validation and CSRF protections, this endpoint is vulnerable to DNS Rebinding. An attacker can lure a user to a malicious webpage, bypass the Same-Origin Policy (SOP), rewrite the AI agent's persistent memory, and execute arbitrary commands on the host operating system via the autonomous agent's shell execution engine.

Alon Barad
Alon Barad
11 views•5 min read
•about 19 hours ago•GHSA-MXWC-WH95-PW4G
5.3

GHSA-MXWC-WH95-PW4G: Denial of Service via Uncontrolled Recursion in Trapster DNS Parser

The trapster honeypot package is vulnerable to a remote denial of service (DoS) vulnerability due to uncontrolled recursion during the parsing of malformed DNS compression pointers in the decode_labels function.

Amit Schendel
Amit Schendel
7 views•6 min read