PT-2026-60101 · Unknown · Netlicensing-Mcp

CVE-2026-54446

·

Published

2026-07-14

·

Updated

2026-07-15

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions netlicensing-mcp version 0.1.5
Description When running in HTTP transport mode, the software fails to enforce authentication in the ApiKeyMiddleware. Requests that do not provide a client API key are unconditionally forwarded to the next handler. Consequently, the system falls back to using the server operator's NETLICENSING API KEY environment variable to authenticate calls to the upstream NetLicensing REST API. This allows an unauthenticated network attacker to invoke any MCP tool, including product listing, license creation, modification, and destructive delete operations, using the operator's identity and account quota.
Technical details include:
  • API Endpoints: The /mcp endpoint is vulnerable to unauthenticated access.
  • Vulnerable Parameters or Variables: The x-netlicensing-api-key header and apikey query parameter are not enforced, and the NETLICENSING API KEY environment variable is used as an insecure fallback.
  • Function Names: The ApiKeyMiddleware fails to reject requests when a key is absent.
Recommendations For version 0.1.5, update the ApiKeyMiddleware in server.py to return a 401 Unauthorized response when a valid API key is not provided, except for the /health endpoint. As a temporary mitigation, restrict network access to the /mcp endpoint to trusted sources only.

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54446
GHSA-X9VC-9FFQ-P3GJ

Affected Products

Netlicensing-Mcp