{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/meta-ads-mcp-1.0.113/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["meta-ads-mcp (1.0.113)"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","web-vulnerability","meta","python","cwe-287"],"_cs_type":"advisory","_cs_vendors":["Meta"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, identified in \u003ccode\u003emeta-ads-mcp\u003c/code\u003e version 1.0.113, enables unauthenticated attackers to gain privileged access to Meta Ads data. This flaw resides within the \u003ccode\u003eAuthInjectionMiddleware\u003c/code\u003e logic, which incorrectly handles the presence of the \u003ccode\u003eX-Pipeboard-Token\u003c/code\u003e HTTP header. If an attacker sends an HTTP POST request to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint with any arbitrary value in this header, the middleware bypasses the authentication check. Consequently, the application's token retrieval mechanism falls back to using the server operator's \u003ccode\u003eMETA_ACCESS_TOKEN\u003c/code\u003e environment variable. This grants the attacker the ability to read and write all Meta Ads data accessible to the operator. This vulnerability specifically impacts deployments of \u003ccode\u003emeta-ads-mcp\u003c/code\u003e configured in \u003ccode\u003estreamable-http\u003c/code\u003e mode with the \u003ccode\u003eMETA_ACCESS_TOKEN\u003c/code\u003e environment variable set, which is a documented production setup.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends an HTTP POST request to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint, including an \u003ccode\u003eX-Pipeboard-Token\u003c/code\u003e header with an arbitrary value.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAuthInjectionMiddleware\u003c/code\u003e in \u003ccode\u003emeta_ads_mcp/core/http_auth_integration.py\u003c/code\u003e evaluates its guard condition (\u003ccode\u003eif not auth_token and not pipeboard_token\u003c/code\u003e). Because \u003ccode\u003eauth_token\u003c/code\u003e is \u003ccode\u003eNone\u003c/code\u003e (as \u003ccode\u003eX-Pipeboard-Token\u003c/code\u003e is not recognized by \u003ccode\u003eextract_token_from_headers()\u003c/code\u003e) and \u003ccode\u003epipeboard_token\u003c/code\u003e is truthy (due to the presence of \u003ccode\u003eX-Pipeboard-Token\u003c/code\u003e), the condition evaluates to \u003ccode\u003eFalse\u003c/code\u003e, bypassing the intended authentication check.\u003c/li\u003e\n\u003cli\u003eNo proper authentication context is established for the incoming request within the application.\u003c/li\u003e\n\u003cli\u003eDuring subsequent processing, when an access token is required, the application's token getter (\u003ccode\u003ehttp_auth_integration.py:163-168\u003c/code\u003e) defaults to the original token accessor due to the lack of an \u003ccode\u003eauth_token\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eauth.py\u003c/code\u003e module (\u003ccode\u003eauth.py:446-453\u003c/code\u003e) retrieves the \u003ccode\u003eMETA_ACCESS_TOKEN\u003c/code\u003e from the server's environment variables.\u003c/li\u003e\n\u003cli\u003eThis operator's \u003ccode\u003eMETA_ACCESS_TOKEN\u003c/code\u003e is then automatically injected into the \u003ccode\u003eaccess_token\u003c/code\u003e keyword argument for any invoked \u003ccode\u003emeta_api_tool\u003c/code\u003e (e.g., \u003ccode\u003eapi.py:390-396\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe targeted tool, such as \u003ccode\u003eaccounts.py:42-62\u003c/code\u003e (\u003ccode\u003eget_ad_accounts\u003c/code\u003e), makes an API call to the Meta Graph API using the operator's \u003ccode\u003eMETA_ACCESS_TOKEN\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ehttpx.AsyncClient\u003c/code\u003e (\u003ccode\u003eapi.py:225-235\u003c/code\u003e) sends a privileged HTTP request to the Meta Graph API, allowing the attacker to read and write Meta Ads data with the operator's permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this authentication bypass allows an unauthenticated network-reachable attacker to fully compromise the \u003ccode\u003emeta-ads-mcp\u003c/code\u003e instance. The attacker gains the ability to read all Meta Ads data (including ad accounts, campaigns, creatives, audiences, and insights) accessible to the server operator. Furthermore, the attacker can write and modify Meta Ads resources, such as creating or updating campaigns and budgets, effectively taking control of the operator's advertising accounts. There is also a risk of exfiltrating the operator's identity through Meta Graph API error responses that might reference the compromised token. This vulnerability directly affects operators using \u003ccode\u003emeta-ads-mcp\u003c/code\u003e in \u003ccode\u003estreamable-http\u003c/code\u003e mode with a configured \u003ccode\u003eMETA_ACCESS_TOKEN\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable comprehensive \u003ccode\u003ewebserver\u003c/code\u003e logging that captures all HTTP request headers for all HTTP POST requests to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003ewebserver\u003c/code\u003e logs for HTTP POST requests to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint containing the \u003ccode\u003eX-Pipeboard-Token\u003c/code\u003e header, as this indicates an attempted authentication bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T18:51:28Z","date_published":"2026-07-17T18:51:28Z","id":"https://feed.craftedsignal.io/briefs/2026-07-meta-ads-mcp-auth-bypass/","summary":"An authentication bypass vulnerability in `meta-ads-mcp` version 1.0.113 allows unauthenticated network callers to gain unauthorized access by sending an arbitrary value in the `X-Pipeboard-Token` HTTP header, leading to the reuse of the server operator's `META_ACCESS_TOKEN` for full read and write access to Meta Ads data.","title":"meta-ads-mcp Authentication Bypass via X-Pipeboard-Token Header","url":"https://feed.craftedsignal.io/briefs/2026-07-meta-ads-mcp-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Meta-Ads-Mcp (1.0.113)","version":"https://jsonfeed.org/version/1.1"}