meta-ads-mcp Authentication Bypass via X-Pipeboard-Token Header
An authentication bypass vulnerability in `meta-ads-mcp` version 1.0.113 allows unauthenticated network callers to gain unauthorized access by sending an arbitrary value in the `X-Pipeboard-Token` HTTP header, leading to the reuse of the server operator's `META_ACCESS_TOKEN` for full read and write access to Meta Ads data.
A critical authentication bypass vulnerability, identified in meta-ads-mcp version 1.0.113, enables unauthenticated attackers to gain privileged access to Meta Ads data. This flaw resides within the AuthInjectionMiddleware logic, which incorrectly handles the presence of the X-Pipeboard-Token HTTP header. If an attacker sends an HTTP POST request to the /mcp endpoint with any arbitrary value in this header, the middleware bypasses the authentication check. Consequently, the application's token retrieval mechanism falls back to using the server operator's META_ACCESS_TOKEN environment variable. This grants the attacker the ability to read and write all Meta Ads data accessible to the operator. This vulnerability specifically impacts deployments of meta-ads-mcp configured in streamable-http mode with the META_ACCESS_TOKEN environment variable set, which is a documented production setup.
Attack Chain
- An unauthenticated attacker sends an HTTP POST request to the
/mcpendpoint, including anX-Pipeboard-Tokenheader with an arbitrary value. - The
AuthInjectionMiddlewareinmeta_ads_mcp/core/http_auth_integration.pyevaluates its guard condition (if not auth_token and not pipeboard_token). Becauseauth_tokenisNone(asX-Pipeboard-Tokenis not recognized byextract_token_from_headers()) andpipeboard_tokenis truthy (due to the presence ofX-Pipeboard-Token), the condition evaluates toFalse, bypassing the intended authentication check. - No proper authentication context is established for the incoming request within the application.
- During subsequent processing, when an access token is required, the application's token getter (
http_auth_integration.py:163-168) defaults to the original token accessor due to the lack of anauth_token. - The
auth.pymodule (auth.py:446-453) retrieves theMETA_ACCESS_TOKENfrom the server's environment variables. - This operator's
META_ACCESS_TOKENis then automatically injected into theaccess_tokenkeyword argument for any invokedmeta_api_tool(e.g.,api.py:390-396). - The targeted tool, such as
accounts.py:42-62(get_ad_accounts), makes an API call to the Meta Graph API using the operator'sMETA_ACCESS_TOKEN. httpx.AsyncClient(api.py:225-235) sends a privileged HTTP request to the Meta Graph API, allowing the attacker to read and write Meta Ads data with the operator's permissions.
Impact
Successful exploitation of this authentication bypass allows an unauthenticated network-reachable attacker to fully compromise the meta-ads-mcp instance. The attacker gains the ability to read all Meta Ads data (including ad accounts, campaigns, creatives, audiences, and insights) accessible to the server operator. Furthermore, the attacker can write and modify Meta Ads resources, such as creating or updating campaigns and budgets, effectively taking control of the operator's advertising accounts. There is also a risk of exfiltrating the operator's identity through Meta Graph API error responses that might reference the compromised token. This vulnerability directly affects operators using meta-ads-mcp in streamable-http mode with a configured META_ACCESS_TOKEN.
Recommendation
- Enable comprehensive
webserverlogging that captures all HTTP request headers for all HTTP POST requests to the/mcpendpoint. - Review
webserverlogs for HTTP POST requests to the/mcpendpoint containing theX-Pipeboard-Tokenheader, as this indicates an attempted authentication bypass.