@grackle-ai/mcp Workspace Authorization Bypass in knowledge_search MCP Tool
The @grackle-ai/mcp package has a workspace authorization bypass vulnerability in its knowledge_search MCP tool that allows scoped agents to bypass workspace isolation and access knowledge graph nodes from other workspaces, leading to cross-workspace data leakage.
The @grackle-ai/mcp package, specifically versions 0.70.1 and earlier, contains a critical authorization bypass vulnerability within the knowledge_search and knowledge_get_node MCP tools. This vulnerability allows scoped agents operating within one workspace to circumvent intended isolation boundaries and access knowledge graph nodes residing in other workspaces. This is due to the knowledge_search and knowledge_get_node handlers failing to properly receive or enforce workspace scoping via the authContext. This vulnerability poses a significant risk of cross-workspace data leakage in deployments where multiple workspaces contain sensitive knowledge graph data and scoped agents are utilized. The issue was reported on March 25, 2026, and is tracked as GHSA-647h-p824-99w7. Defenders should prioritize patching or implementing workarounds to mitigate this risk.
Attack Chain
- A scoped agent is deployed within Workspace A, possessing limited permissions within that workspace.
- The attacker identifies the presence of the
knowledge_searchandknowledge_get_nodetools within theSCOPED_TOOLSset, indicating their accessibility to scoped agents. - The attacker crafts a request to the
knowledge_searchorknowledge_get_nodehandler, supplying an arbitraryworkspaceIdparameter corresponding to Workspace B. - Due to the missing
authContextand lack of workspace scoping enforcement in the handler, the request bypasses intended access controls. - The handler retrieves knowledge graph nodes from Workspace B based on the attacker-supplied
workspaceId. - The data from Workspace B is returned to the scoped agent in Workspace A.
- The attacker gains unauthorized access to sensitive knowledge graph data residing in Workspace B.
- The attacker can exfiltrate or misuse the compromised data, leading to data leakage or other malicious activities.
Impact
This vulnerability results in cross-workspace data leakage, potentially exposing sensitive information stored in knowledge graphs across different workspaces. The number of affected deployments depends on the adoption rate of @grackle-ai/mcp with scoped agents and multi-workspace configurations. Successful exploitation can lead to unauthorized access to confidential data, impacting data privacy, compliance, and potentially causing reputational damage. The vulnerability affects any deployment where multiple workspaces contain sensitive knowledge graph data and scoped agents are used, putting organizations at significant risk.
Recommendation
- Upgrade
@grackle-ai/mcpto a patched version beyond 0.70.1 to address the authorization bypass vulnerability. - As a temporary workaround, remove
knowledge_searchandknowledge_get_nodefrom theSCOPED_TOOLSset intool-scoping.tsto restrict access to these tools for scoped agents. - Monitor the usage of
knowledge_searchandknowledge_get_nodehandlers for requests originating from scoped agents, and alert on any attempts to access knowledge graph nodes from different workspaces. - If scoped agents are not currently used in multi-workspace deployments, consider disabling them temporarily until the patch is applied.
Detection coverage 2
Detect Unauthorized Workspace ID in knowledge_search Request
highDetects requests to the knowledge_search handler with a workspaceId that differs from the agent's assigned workspace.
Detect Unauthorized Workspace ID in knowledge_get_node Request
highDetects requests to the knowledge_get_node handler with a workspaceId that differs from the agent's assigned workspace.
Detection queries are available on the platform. Get full rules →