PT-2026-30393 · Npm · @Grackle-Ai/Mcp

Published

2026-03-25

·

Updated

2026-03-25

CVSS v4.0

8.6

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Impact

The knowledge search and knowledge get node MCP tools are included in SCOPED TOOLS (visible to scoped agents) but their handlers do not receive authContext and do not enforce workspace scoping. A scoped agent in Workspace A can supply an arbitrary workspaceId parameter to search or retrieve knowledge graph nodes from Workspace B, bypassing workspace isolation boundaries.
This is a cross-workspace data leakage vulnerability affecting any deployment where multiple workspaces contain sensitive knowledge graph data and scoped agents are used.
Affected code:
  • packages/mcp/src/tools/knowledge.ts:146-169 (knowledge search handler)
  • packages/mcp/src/tools/knowledge.ts:244-283 (knowledge get node handler)
  • packages/mcp/src/tool-scoping.ts:11 (both tools listed in SCOPED TOOLS)
Contrast with correct implementation: knowledge create node (same file, lines 334-357) properly receives authContext and overrides the user-supplied workspaceId for scoped callers.

Design Note

Cross-workspace knowledge sharing is a legitimate future feature — agents working across different repos may need to collaborate and share knowledge. However, this access should be opt-in with explicit grants, not an implicit bypass. The immediate fix locks scoped agents to their own workspace. A future design could introduce:
  • Workspace-level "share knowledge with" settings
  • A cross workspace scope on scoped tokens
  • Explicit workspaceIds (plural) in the auth context

Patches

Fix: Add authContext parameter to knowledge search and knowledge get node handlers and enforce workspace scoping, matching the pattern in knowledge create node:
typescript
const resolvedWorkspaceId =
 authContext?.type === "scoped"
  ? authContext.workspaceId ?? ""
  : workspaceId ?? "";
When cross-workspace collaboration is designed, this check can be relaxed intentionally with proper access controls.

Workarounds

Do not use scoped agent tokens in multi-workspace deployments until patched. Alternatively, remove knowledge search and knowledge get node from the SCOPED TOOLS set in tool-scoping.ts.

References

  • CWE-284: Improper Access Control
  • File: packages/mcp/src/tools/knowledge.ts
  • File: packages/mcp/src/tool-scoping.ts

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

GHSA-647H-P824-99W7

Affected Products

@Grackle-Ai/Mcp