Unauthenticated API Key Use in NetLicensing-MCP HTTP Mode
An unauthenticated vulnerability exists in netlicensing-mcp (version 0.1.5 and earlier) when operating in HTTP transport mode, where the ApiKeyMiddleware fails to enforce authentication for requests lacking a client API key, causing the application to fall back to the server's NETLICENSING_API_KEY environment variable for upstream calls, allowing an unauthenticated network attacker to invoke any MCP tool under the server operator's identity and account quota.
NetLicensing-MCP, an open-source tool designed for managing NetLicensing accounts, contains a critical vulnerability (CVSS 8.1) when deployed in HTTP transport mode, specifically affecting version 0.1.5 and earlier. The ApiKeyMiddleware fails to properly enforce authentication for incoming HTTP requests that lack a client API key. Instead of rejecting such unauthenticated requests, the application inadvertently proceeds, falling back to using the server operator's NETLICENSING_API_KEY environment variable for all subsequent upstream calls to the NetLicensing REST API. This flaw allows any unauthenticated network attacker to invoke any MCP tool functions, including product listing, license creation, modification, and destructive delete operations, entirely under the server operator's identity and account quota. Identified as a Missing Authentication for Critical Function (CWE-306), this vulnerability primarily impacts organizations running netlicensing-mcp on network-reachable interfaces with the NETLICENSING_API_KEY configured as per official documentation.
Attack Chain
- An unauthenticated network attacker sends an HTTP request to the
netlicensing-mcp/mcpendpoint, intentionally omitting anyx-netlicensing-api-keyheader orapikeyquery parameter. - The
ApiKeyMiddlewareinsrc/netlicensing_mcp/server.pyattempts to extract an API key from the incoming request. - Because no client key is provided by the attacker, the middleware fails to find one and unconditionally forwards the unauthenticated request to the next handler (
call_next(request)atserver.py:1427). - The downstream MCP client module (
src/netlicensing_mcp/client.py) is invoked and attempts to obtain an API key for making upstream calls to the NetLicensing REST API. - The
api_key_ctxContextVar inclient.pydefaults toos.getenv("NETLICENSING_API_KEY", "")(atclient.py:30), retrieving the server operator's confidential API key from the environment. - The MCP client proceeds to construct an
Authorization: Basicheader using the server operator's retrieved API key (client.py:62 - 70). - The MCP client then makes an upstream HTTP request to the NetLicensing REST API (e.g., to
/core/v2/rest/product) using the operator's credentials (client.py:105, 109). - The upstream NetLicensing API processes the request as if it originated from the legitimate server operator, granting the attacker full control over the operator's account via the MCP tools.
Impact
This vulnerability, categorized as Missing Authentication for Critical Function (CWE-306), allows any network-reachable attacker to invoke the full set of MCP tools without authentication. Attackers can execute read, create, update, and delete operations, with their requests transparently executed under the server operator's NetLicensing account. This leads to:
- Confidentiality: Unauthorized enumeration of all products, licenses, licensees, and transactions linked to the operator's account.
- Integrity: Unauthorized creation of new licenses or licensees, modification of existing license parameters, and forging of token-based validations.
- Availability: Potential for bulk deletion of products, licenses, or licensees, which could severely disrupt or destroy the operator's entire licensing configuration.
The vulnerability specifically impacts operators who deploy netlicensing-mcp in HTTP transport mode (python3 -m netlicensing_mcp.server http) with the NETLICENSING_API_KEY configured as a server-side environment variable and expose the service on a network-reachable interface. This deployment pattern is officially documented in the project README for remote and cloud deployments.
Recommendation
- Upgrade
netlicensing-mcpto a patched version (newer than 0.1.5) immediately to address the vulnerability insrc/netlicensing_mcp/server.py. - Apply the suggested patch from the advisory to
src/netlicensing_mcp/server.pyto correctly reject unauthenticated requests to the/mcpendpoint if an upgrade is not immediately feasible. - Review server configurations to ensure that the
netlicensing-mcpservice, particularly the vulnerable/mcpendpoint (IOC:/mcp), is not exposed on network-reachable interfaces when operating in HTTP mode with theNETLICENSING_API_KEYenvironment variable set. - Implement web application firewall (WAF) rules to block HTTP requests directed at the
/mcpendpoint (IOC:/mcp) that do not contain anx-netlicensing-api-keyheader orapikeyquery parameter, effectively mimicking the behavior of a patchedApiKeyMiddleware. - Monitor web server access logs for HTTP requests targeting the
/mcpendpoint (IOC:/mcp) that lack explicit API key authentication, as this may indicate attempted exploitation.