CVE-2026-44895: CWE-306: Missing Authentication for Critical Function in yoda-digital mcp-gitlab-server
GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator's GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0.
AI Analysis
Technical Summary
The vulnerability arises from the mcp-gitlab-server's HTTP transport implementation before version 0.6.0, which does not enforce authentication on a critical RPC endpoint. This endpoint is stateful and mutation-capable, backed by the operator's GitLab personal access token, and is exposed on all network interfaces due to binding to 0.0.0.0. The server also sets a wildcard Access-Control-Allow-Origin header, enabling any cross-origin browser context to interact with this endpoint without credentials. This combination of missing authentication and permissive CORS headers creates a severe security risk, allowing unauthorized remote code execution or modification of GitLab resources via the exposed RPC interface. The issue is addressed by adding authentication and restricting exposure in version 0.6.0.
Potential Impact
An unauthenticated remote attacker can access a mutation-capable RPC endpoint that operates with the privileges of the operator's GitLab personal access token. This can lead to unauthorized modification of GitLab resources, potentially compromising the integrity and confidentiality of the GitLab environment. The exposure on all network interfaces and permissive CORS policy significantly increases the attack surface, allowing exploitation from any network location and from any browser context. The CVSS 4.0 score of 9.2 reflects the critical severity and ease of exploitation without privileges or user interaction.
Mitigation Recommendations
The vulnerability is fixed in mcp-gitlab-server version 0.6.0. Users should upgrade to version 0.6.0 or later to ensure authentication is enforced on the RPC endpoint and the server no longer exposes this unauthenticated interface. No other official remediation or temporary fixes are documented. Until upgrade, restricting network exposure of the affected server and disabling cross-origin requests may reduce risk but do not fully mitigate the vulnerability.
CVE-2026-44895: CWE-306: Missing Authentication for Critical Function in yoda-digital mcp-gitlab-server
Description
GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator's GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0.
CVSS v4.0
Score 9.2critical
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from the mcp-gitlab-server's HTTP transport implementation before version 0.6.0, which does not enforce authentication on a critical RPC endpoint. This endpoint is stateful and mutation-capable, backed by the operator's GitLab personal access token, and is exposed on all network interfaces due to binding to 0.0.0.0. The server also sets a wildcard Access-Control-Allow-Origin header, enabling any cross-origin browser context to interact with this endpoint without credentials. This combination of missing authentication and permissive CORS headers creates a severe security risk, allowing unauthorized remote code execution or modification of GitLab resources via the exposed RPC interface. The issue is addressed by adding authentication and restricting exposure in version 0.6.0.
Potential Impact
An unauthenticated remote attacker can access a mutation-capable RPC endpoint that operates with the privileges of the operator's GitLab personal access token. This can lead to unauthorized modification of GitLab resources, potentially compromising the integrity and confidentiality of the GitLab environment. The exposure on all network interfaces and permissive CORS policy significantly increases the attack surface, allowing exploitation from any network location and from any browser context. The CVSS 4.0 score of 9.2 reflects the critical severity and ease of exploitation without privileges or user interaction.
Mitigation Recommendations
The vulnerability is fixed in mcp-gitlab-server version 0.6.0. Users should upgrade to version 0.6.0 or later to ensure authentication is enforced on the RPC endpoint and the server no longer exposes this unauthenticated interface. No other official remediation or temporary fixes are documented. Until upgrade, restricting network exposure of the affected server and disabling cross-origin requests may reduce risk but do not fully mitigate the vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-07T21:50:33.546Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a161539e29bf47b506c539c
Added to database: 05/26/2026, 21:48:41 UTC
Last enriched: 05/26/2026, 22:04:23 UTC
Last updated: 07/11/2026, 19:47:31 UTC
Views: 158
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.