GHSA-WF8Q-WVV8-P8JF: Unauthenticated User Impersonation in MCPHub SSE Endpoint

The @samanhappy/mcphub package serves as a centralized management hub for Model Context Protocol (MCP) servers. The application facilitates communication between AI clients and back-end tools, exposing services such as database queries and file system access through Server-Sent Events (SSE) endpoints. This architecture allows AI models to dynamically interact with system resources using JSON-RPC commands.

The vulnerability, tracked as GHSA-WF8Q-WVV8-P8JF, involves Improper Authentication (CWE-287) and Improper Authorization (CWE-285) within the SSE transport layer. The application uses a routing pattern that extracts the username directly from the URL path to establish the operational context. Because this endpoint lacks enforced authentication checks in its default configuration, attackers can supply arbitrary usernames to assume the identity of privileged accounts.

By exploiting this flaw, unauthenticated remote attackers gain full access to the target user's configured MCP tools. This access bypasses intended access controls and exposes sensitive internal functions meant only for authorized AI clients or administrators. The flaw fundamentally breaks the security boundary between unauthenticated network requests and authenticated internal tool execution.

The vulnerability originates in the user context middleware (src/middlewares/userContext.ts) and the SSE connection handler (src/services/sseService.ts). The application defines the SSE connection route using the pattern GET /{username}/sse/{group}. The middleware parses incoming requests and extracts the {username} parameter from the URL path (req.params.user).

The extracted string is directly assigned as the current user context for the session. The application fails to validate this identity claim against an authenticated state, such as verifying a JSON Web Token (JWT), a session cookie, or a Bearer token. The server intrinsically trusts the user-supplied input in the URL parameter as a definitive proof of identity.

Upon connection establishment, the SSE service generates a unique sessionId and binds it to the unverified username. The application utilizes a split-channel communication model where the SSE stream is used for server-to-client events, and a separate POST endpoint (POST /{username}/messages?sessionId=...) is used for client-to-server commands. Because the sessionId is bound to the spoofed identity, any subsequent POST requests carrying this ID are executed with the full privileges of the impersonated user.

Exploitation requires network reachability to the MCPHub HTTP service. The attacker does not require prior authentication or specialized tools; standard HTTP utilities are sufficient to exploit the flaw. The attack sequence begins with establishing an SSE connection to a high-privilege account, typically admin.

The attacker initiates the exploit by sending a GET request to the targeted endpoint:

curl -N "http://<target-ip>:3000/admin/sse/default"

The server processes the URL parameter, sets the user context to admin, and responds with an open event stream. The initial response contains the active sessionId assigned to this context:

HTTP/1.1 200 OK
Content-Type: text/event-stream
 
event: endpoint
data: /admin/messages?sessionId=5b242344-ddf1-4c21-b8f4-0193d3467f1e

With the valid session ID obtained, the attacker utilizes the command endpoint to interact with the system. The attacker sends a tools/list JSON-RPC command to discover available tools:

curl -X POST "http://<target-ip>:3000/admin/messages?sessionId=5b242344-ddf1-4c21-b8f4-0193d3467f1e" \
     -H "Content-Type: application/json" \
     -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}'

The server executes the command in the context of the admin user and pushes the results to the open SSE stream in the attacker's first terminal. The attacker can then construct subsequent POST requests to execute any discovered tool, allowing for arbitrary interaction with the underlying system resources.

The following diagram illustrates the unauthenticated user impersonation flow, detailing how the attacker leverages the trusted URL parameter to obtain a valid session ID and execute privileged commands.

The remediation, implemented in commit 3fb39f0951475179069d846663f736689d0689d0, fundamentally shifts the user context derivation strategy. The vulnerable implementation relied exclusively on Express.js route parameters (req.params.user) without cryptographic validation.

The patch introduces hardened JWT identity binding for SSE routes. Instead of reading the URL path, the middleware now extracts and validates a JSON Web Token from the request headers. The user context is explicitly derived from the verified claims within the token, effectively neutralizing the ability to spoof identities via route parameters.

Additionally, the patch addresses logic flaws within the validateBearerAuth function. The updated implementation enforces strict rejection of requests when authentication is enabled but a valid API key is absent. This ensures a defense-in-depth posture, requiring both proper session authorization and, when configured, valid Bearer authentication before processing MCP tool commands.

While the official CVSS score is rated as 4.7 (Medium Severity), independent security analysis indicates the practical impact is significantly higher when MCPHub exposes sensitive administrative tools. The confidentiality impact is absolute within the context of the impersonated user; attackers can read any data accessible to the user's configured MCP tools, which frequently includes database records and private file systems.

The integrity impact is equally severe. Attackers possess the capability to execute state-modifying tools, allowing them to alter system configurations, tamper with database entries, or manipulate underlying file structures. The scope of the damage is constrained only by the permissions granted to the MCP servers managed by the hub.

System availability is at risk, as attackers can invoke resource-intensive queries or execute tools designed to delete or restrict access to configurations. Because MCPHub is specifically designed to provide AI models with deep integration into internal systems, circumventing its authentication controls effectively grants an unauthenticated external attacker a direct interface to sensitive internal APIs.

The primary remediation for GHSA-WF8Q-WVV8-P8JF is to upgrade the @samanhappy/mcphub package to version 0.12.15 or later. This release contains the fundamental architectural fixes required to prevent user impersonation via URL parameters.

Administrators must ensure that the enableBearerAuth configuration directive is set to true. Relying solely on default settings may leave endpoints exposed. The configuration must be paired with cryptographically strong, randomly generated keys to secure the API surfaces.

Network-level isolation serves as a critical secondary mitigation. MCPHub instances should never be exposed directly to the public internet. Deployments must be restricted to internal networks, virtual private networks (VPNs), or zero-trust network access (ZTNA) boundaries to minimize the attack surface and prevent unauthorized access attempts from untrusted origins.