PT-2026-39306 · Npm+1 · @Yoda.Digital/Gitlab-Mcp-Server+1
Nalyk
·
Published
2026-05-09
·
Updated
2026-06-19
·
CVE-2026-44895
CVSS v4.0
9.2
Critical
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
GitLab MCP Server versions prior to 0.6.0
Description
The HTTP transport in
src/transport.ts lacks an authentication layer and implements a wildcard Access-Control-Allow-Origin: * header on all responses. This allows any cross-origin browser context or unauthenticated network caller to access a stateful, mutation-capable RPC endpoint. The server binds to 0.0.0.0 by default because the httpServer.listen(port) function is called without a host argument, exposing the interface on all network interfaces.This configuration allows unauthorized access to all tools exposed by the server using the operator's
GITLAB PERSONAL ACCESS TOKEN, including destructive operations such as delete repository, delete group, push files, create merge request, and update repository settings.The affected API endpoints are:
- 'GET /sse'
- 'POST /messages?sessionId=
id'
Recommendations
Update to version 0.6.0.
As a temporary workaround, avoid setting
USE SSE=true or restrict network access to the server port to trusted sources only.Exploit
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Yoda.Digital/Gitlab-Mcp-Server
Mcp-Gitlab-Server