PT-2026-60101 · Unknown · Netlicensing-Mcp
CVE-2026-54446
·
Published
2026-07-14
·
Updated
2026-07-15
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
netlicensing-mcp version 0.1.5
Description
When running in HTTP transport mode, the software fails to enforce authentication in the
ApiKeyMiddleware. Requests that do not provide a client API key are unconditionally forwarded to the next handler. Consequently, the system falls back to using the server operator's NETLICENSING API KEY environment variable to authenticate calls to the upstream NetLicensing REST API. This allows an unauthenticated network attacker to invoke any MCP tool, including product listing, license creation, modification, and destructive delete operations, using the operator's identity and account quota.Technical details include:
- API Endpoints: The
/mcpendpoint is vulnerable to unauthenticated access. - Vulnerable Parameters or Variables: The
x-netlicensing-api-keyheader andapikeyquery parameter are not enforced, and theNETLICENSING API KEYenvironment variable is used as an insecure fallback. - Function Names: The
ApiKeyMiddlewarefails to reject requests when a key is absent.
Recommendations
For version 0.1.5, update the
ApiKeyMiddleware in server.py to return a 401 Unauthorized response when a valid API key is not provided, except for the /health endpoint.
As a temporary mitigation, restrict network access to the /mcp endpoint to trusted sources only.Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Netlicensing-Mcp