GHSA-WF8Q-WVV8-P8JF: GHSA-WF8Q-WVV8-P8JF: Unauthenticated User Impersonation in MCPHub SSE Endpoint

1 / 2

GHSA-WF8Q-WVV8-P8JF: GHSA-WF8Q-WVV8-P8JF: Unauthenticated User Impersonation in MCPHub SSE Endpoint

DEV Community·CVE Reports·18 days ago

#LxUBRh0C

#security #cve #cybersecurity #ghsa #mcphub #user

Reading 0:00

15s threshold

GHSA-WF8Q-WVV8-P8JF: Unauthenticated User Impersonation in MCPHub SSE Endpoint Vulnerability ID: GHSA-WF8Q-WVV8-P8JF CVSS Score: 4.7 Published: 2026-05-14 The @samanhappy /mcphub package before version 0.12.15 contains a critical improper authentication vulnerability within its Server-Sent Events (SSE) transport layer. The application blindly trusts the username provided in the URL path parameter to establish user context and session state without requiring cryptographic verification or authentication tokens. This architectural flaw allows unauthenticated remote attackers to impersonate any user, establish a valid session, and execute arbitrary Model Context Protocol (MCP) tools within the victim's authorization context. TL;DR An authentication bypass in MCPHub allows unauthenticated attackers to impersonate any user by specifying a target username in the SSE endpoint URL, granting unauthorized execution of administrative AI tools.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-WF8Q-WVV8-P8JF: GHSA-WF8Q-WVV8-P8JF: Unauthenticated User Impersonation in MCPHub SSE Endpoint