The vulnerability arises from the mcp-gitlab-server's HTTP transport implementation before version 0.6.0, which does not enforce authentication on a critical RPC endpoint. This endpoint is stateful and mutation-capable, backed by the operator's GitLab personal access token, and is exposed on all network interfaces due to binding to 0.0.0.0. The server also sets a wildcard Access-Control-Allow-Origin header, enabling any cross-origin browser context to interact with this endpoint without credentials. This combination of missing authentication and permissive CORS headers creates a severe security risk, allowing unauthorized remote code execution or modification of GitLab resources via the exposed RPC interface. The issue is addressed by adding authentication and restricting exposure in version 0.6.0.

An unauthenticated remote attacker can access a mutation-capable RPC endpoint that operates with the privileges of the operator's GitLab personal access token. This can lead to unauthorized modification of GitLab resources, potentially compromising the integrity and confidentiality of the GitLab environment. The exposure on all network interfaces and permissive CORS policy significantly increases the attack surface, allowing exploitation from any network location and from any browser context. The CVSS 4.0 score of 9.2 reflects the critical severity and ease of exploitation without privileges or user interaction.

The vulnerability is fixed in mcp-gitlab-server version 0.6.0. Users should upgrade to version 0.6.0 or later to ensure authentication is enforced on the RPC endpoint and the server no longer exposes this unauthenticated interface. No other official remediation or temporary fixes are documented. Until upgrade, restricting network exposure of the affected server and disabling cross-origin requests may reduce risk but do not fully mitigate the vulnerability.