{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/camofox-mcp--1.13.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["camofox-mcp (\u003c 1.13.2)"],"_cs_severities":["high"],"_cs_tags":["unauthenticated-access","browser-control","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003ecamofox-mcp\u003c/code\u003e package exposed a Streamable HTTP MCP endpoint at \u003ccode\u003e/mcp\u003c/code\u003e without requiring authentication. This vulnerability allows any client capable of reaching the \u003ccode\u003e/mcp\u003c/code\u003e endpoint to list and invoke browser-control tools. While the endpoint implemented rate limiting, it lacked proper inbound MCP-layer authentication. If \u003ccode\u003eCAMOFOX_API_KEY\u003c/code\u003e was configured, the server would forward this server-side key to the underlying \u003ccode\u003ecamofox-browser\u003c/code\u003e backend, effectively allowing an unauthenticated MCP caller to leverage the server\u0026rsquo;s browser authority without knowing the backend browser API key. The vulnerability existed in commit \u003ccode\u003e10e3ac08cb50d830eb4ee00a789229f02f28a1a4\u003c/code\u003e and was fixed in \u003ccode\u003ev1.13.2\u003c/code\u003e with commit \u003ccode\u003e599f56ee40f8062aeca541c251ed1d39fb437f50\u003c/code\u003e. This is a high severity issue, although default loopback-only deployments reduce the practical risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a \u003ccode\u003ecamofox-mcp\u003c/code\u003e instance with HTTP mode enabled.\u003c/li\u003e\n\u003cli\u003eAttacker sends an HTTP POST request to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe server receives the request and creates a \u003ccode\u003eStreamableHTTPServerTransport\u003c/code\u003e without authentication.\u003c/li\u003e\n\u003cli\u003eThe server connects to the transport and handles the request without validating client identity.\u003c/li\u003e\n\u003cli\u003eThe attacker lists available browser-control tools via an MCP command.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes a browser-control tool, such as \u003ccode\u003ecreate_tab\u003c/code\u003e or \u003ccode\u003enavigate\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server forwards the request to the \u003ccode\u003ecamofox-browser\u003c/code\u003e backend, using the configured \u003ccode\u003eCAMOFOX_API_KEY\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe backend executes the command, potentially allowing unauthorized browser automation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn unauthenticated client reaching the HTTP MCP endpoint can control the MCP server\u0026rsquo;s browser tools. Successful exploitation can lead to unauthorized page navigation, tab creation, interaction with authenticated browser contexts, screenshot and content observation, and other browser-automation actions. The vulnerability poses a significant risk when HTTP mode is exposed for remote clients or deployed through Docker/reverse-proxy configurations, particularly if operators assume \u003ccode\u003eCAMOFOX_API_KEY\u003c/code\u003e protects the entire control plane.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ecamofox-mcp\u003c/code\u003e to version \u003ccode\u003ev1.13.2\u003c/code\u003e or later to incorporate the fix described in the fix notes.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect unauthenticated requests to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003ecamofox-mcp\u003c/code\u003e configurations to ensure that HTTP mode is not exposed without proper authentication mechanisms in place.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for HTTP POST requests to \u003ccode\u003e/mcp\u003c/code\u003e (log source: webserver) originating from unexpected IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T20:15:57Z","date_published":"2026-05-19T20:15:57Z","id":"https://feed.craftedsignal.io/briefs/2026-05-camofox-mcp-unauth/","summary":"camofox-mcp exposed an unauthenticated HTTP MCP endpoint, allowing remote clients to invoke browser-control tools without authentication, potentially leading to unauthorized browser automation and data access.","title":"camofox-mcp Unauthenticated HTTP MCP Endpoint","url":"https://feed.craftedsignal.io/briefs/2026-05-camofox-mcp-unauth/"}],"language":"en","title":"CraftedSignal Threat Feed — Camofox-Mcp (\u003c 1.13.2)","version":"https://jsonfeed.org/version/1.1"}