Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.4%top 69%

CVE-2026-44895: CWE-306: Missing Authentication for Critical Function in yoda-digital mcp-gitlab-server

0
Critical
VulnerabilityCVE-2026-44895cvecve-2026-44895cwe-306cwe-942
Published: 05/26/2026 (05/26/2026, 21:08:13 UTC)
Source: CVE Database V5
Vendor/Project: yoda-digital
Product: mcp-gitlab-server

Description

GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator's GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0.

CVSS v4.0

Score 9.2critical

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
High
Vuln. Integrity
High
Vuln. Availability
Low
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Affected software

Affected versions
<0.6.0

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 05/26/2026, 22:04:23 UTC

Technical Analysis

The vulnerability arises from the mcp-gitlab-server's HTTP transport implementation before version 0.6.0, which does not enforce authentication on a critical RPC endpoint. This endpoint is stateful and mutation-capable, backed by the operator's GitLab personal access token, and is exposed on all network interfaces due to binding to 0.0.0.0. The server also sets a wildcard Access-Control-Allow-Origin header, enabling any cross-origin browser context to interact with this endpoint without credentials. This combination of missing authentication and permissive CORS headers creates a severe security risk, allowing unauthorized remote code execution or modification of GitLab resources via the exposed RPC interface. The issue is addressed by adding authentication and restricting exposure in version 0.6.0.

Potential Impact

An unauthenticated remote attacker can access a mutation-capable RPC endpoint that operates with the privileges of the operator's GitLab personal access token. This can lead to unauthorized modification of GitLab resources, potentially compromising the integrity and confidentiality of the GitLab environment. The exposure on all network interfaces and permissive CORS policy significantly increases the attack surface, allowing exploitation from any network location and from any browser context. The CVSS 4.0 score of 9.2 reflects the critical severity and ease of exploitation without privileges or user interaction.

Mitigation Recommendations

The vulnerability is fixed in mcp-gitlab-server version 0.6.0. Users should upgrade to version 0.6.0 or later to ensure authentication is enforced on the RPC endpoint and the server no longer exposes this unauthenticated interface. No other official remediation or temporary fixes are documented. Until upgrade, restricting network exposure of the affected server and disabling cross-origin requests may reduce risk but do not fully mitigate the vulnerability.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
GitHub_M
Date Reserved
2026-05-07T21:50:33.546Z
Cvss Version
4.0
State
PUBLISHED
Remediation Level
null

Threat ID: 6a161539e29bf47b506c539c

Added to database: 05/26/2026, 21:48:41 UTC

Last enriched: 05/26/2026, 22:04:23 UTC

Last updated: 07/11/2026, 19:47:31 UTC

Views: 158

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses