Problem
The local MCP HTTP/WebSocket API has no authentication token, shared secret, or per-client authorization check before dispatching JSON-RPC methods.
The listener is bound to loopback, but any local process that can reach the port can POST JSON-RPC or open a WebSocket and invoke registered editor automation methods.
Evidence
Editor/MCPServer.Networking.cs:78-80 registers http://127.0.0.1:{_port}/ and http://localhost:{_port}/.
Editor/MCPServer.Networking.cs:115-131 only validates loopback URL/origin. Empty Origin is accepted.
Editor/MCPServer.Networking.cs:147-155 rejects invalid origins, but does not require a token or credential.
Editor/MCPServerMethods.cs:74-83 parses incoming JSON-RPC and dispatches through the registered method table.
- The exposed method table includes high-impact operations such as file writes, script compilation, server shutdown, PlayerPrefs mutation, and reflection-based invocation.
Impact
A malicious local process, compromised editor extension, npm/pip postinstall script, or other process on a shared workstation can control the Unity Editor through the MCP port. Because the available tools can mutate project files and editor state, this is effectively an unauthenticated local control plane.
Suggested fix
Add a per-session authentication secret generated by the Unity server and required on every HTTP/WebSocket request, preferably via a header. The bridge/client config should receive the token through the trusted setup path. Reject unauthenticated requests before JSON-RPC parsing or method dispatch.
Source report
Imported from audit report items:
security (11) / Editor/MCPServer.Networking.cs:16
security (11) / Editor/MCPServer.cs:74
These were combined because they describe the same missing authentication root cause.
Problem
The local MCP HTTP/WebSocket API has no authentication token, shared secret, or per-client authorization check before dispatching JSON-RPC methods.
The listener is bound to loopback, but any local process that can reach the port can POST JSON-RPC or open a WebSocket and invoke registered editor automation methods.
Evidence
Editor/MCPServer.Networking.cs:78-80registershttp://127.0.0.1:{_port}/andhttp://localhost:{_port}/.Editor/MCPServer.Networking.cs:115-131only validates loopback URL/origin. EmptyOriginis accepted.Editor/MCPServer.Networking.cs:147-155rejects invalid origins, but does not require a token or credential.Editor/MCPServerMethods.cs:74-83parses incoming JSON-RPC and dispatches through the registered method table.Impact
A malicious local process, compromised editor extension, npm/pip postinstall script, or other process on a shared workstation can control the Unity Editor through the MCP port. Because the available tools can mutate project files and editor state, this is effectively an unauthenticated local control plane.
Suggested fix
Add a per-session authentication secret generated by the Unity server and required on every HTTP/WebSocket request, preferably via a header. The bridge/client config should receive the token through the trusted setup path. Reject unauthenticated requests before JSON-RPC parsing or method dispatch.
Source report
Imported from audit report items:
security (11)/Editor/MCPServer.Networking.cs:16security (11)/Editor/MCPServer.cs:74These were combined because they describe the same missing authentication root cause.