Product
The Grackle AI MCP tool layer, specifically versions of `@grackle-ai/mcp`, `@grackle-ai/plugin-core`, and `@grackle-ai/auth` up to `0.132.1`, suffers from an authorization bypass (IDOR) due to inconsistent inline checks, allowing a compromised scoped agent to perform unauthorized cross-task and cross-session operations, leading to data manipulation, denial of service, and sensitive data disclosure across workspaces.