Skip to content

[CRITICAL] MCP HTTP/WebSocket API accepts unauthenticated local JSON-RPC calls #62

Description

@Daliys

Problem

The local MCP HTTP/WebSocket API has no authentication token, shared secret, or per-client authorization check before dispatching JSON-RPC methods.

The listener is bound to loopback, but any local process that can reach the port can POST JSON-RPC or open a WebSocket and invoke registered editor automation methods.

Evidence

  • Editor/MCPServer.Networking.cs:78-80 registers http://127.0.0.1:{_port}/ and http://localhost:{_port}/.
  • Editor/MCPServer.Networking.cs:115-131 only validates loopback URL/origin. Empty Origin is accepted.
  • Editor/MCPServer.Networking.cs:147-155 rejects invalid origins, but does not require a token or credential.
  • Editor/MCPServerMethods.cs:74-83 parses incoming JSON-RPC and dispatches through the registered method table.
  • The exposed method table includes high-impact operations such as file writes, script compilation, server shutdown, PlayerPrefs mutation, and reflection-based invocation.

Impact

A malicious local process, compromised editor extension, npm/pip postinstall script, or other process on a shared workstation can control the Unity Editor through the MCP port. Because the available tools can mutate project files and editor state, this is effectively an unauthenticated local control plane.

Suggested fix

Add a per-session authentication secret generated by the Unity server and required on every HTTP/WebSocket request, preferably via a header. The bridge/client config should receive the token through the trusted setup path. Reject unauthenticated requests before JSON-RPC parsing or method dispatch.

Source report

Imported from audit report items:

  • security (11) / Editor/MCPServer.Networking.cs:16
  • security (11) / Editor/MCPServer.cs:74

These were combined because they describe the same missing authentication root cause.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingneeds-triageImported or reported issue awaiting owner reviewpriority: criticalImmediate breakage, data loss, or release-blocking issuesurface: json-rpcRaw JSON-RPC methods, schemas, or dispatch surfacesurface: networkingHTTP, WebSocket, listener, origin, or authentication surfacetype: securitySecurity vulnerability or unsafe trust boundary

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions