{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/obot/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["obot"],"_cs_severities":["critical"],"_cs_tags":["authorization bypass","privilege escalation","mcp","cloud"],"_cs_type":"advisory","_cs_vendors":["obot-platform"],"content_html":"\u003cp\u003eObot version 0.21.0 is vulnerable to an authorization bypass in the \u003ccode\u003e/mcp-connect/{id}\u003c/code\u003e endpoint. This flaw allows any authenticated user, even those without explicit permissions, to connect to any registered MCP server. The vulnerability stems from a missing access control check on the \u003ccode\u003e/mcp-connect/{mcp_id}\u003c/code\u003e gateway endpoint. This means that any user possessing an MCP Server ID can connect to that server through the gateway and make tool calls, effectively circumventing intended restrictions. This critical vulnerability could enable unauthorized access to sensitive data and operations on upstream third-party services accessible via Obot\u0026rsquo;s stored OAuth credentials.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target MCP server ID.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to Obot with a basic user account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request to \u003ccode\u003e/mcp-connect/\u0026lt;mcp_server_id\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a valid Obot session cookie or API key in the \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe request body contains a JSON-RPC payload to list available tools on the MCP server: \u003ccode\u003e{\u0026quot;jsonrpc\u0026quot;:\u0026quot;2.0\u0026quot;,\u0026quot;id\u0026quot;:1,\u0026quot;method\u0026quot;:\u0026quot;tools/list\u0026quot;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker observes a successful response, confirming access to the MCP server\u0026rsquo;s tools, bypassing intended access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a subsequent JSON-RPC request to call a sensitive tool: \u003ccode\u003e{\u0026quot;jsonrpc\u0026quot;:\u0026quot;2.0\u0026quot;,\u0026quot;id\u0026quot;:2,\u0026quot;method\u0026quot;:\u0026quot;tools/call\u0026quot;, \u0026quot;params\u0026quot;:{\u0026quot;name\u0026quot;:\u0026quot;\u0026lt;sensitive_tool\u0026gt;\u0026quot;,\u0026quot;arguments\u0026quot;:{...}}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the tool call successfully, gaining access to data and functionality normally restricted to authorized users, leveraging the MCP server\u0026rsquo;s OAuth credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows unauthorized users to access and manipulate sensitive data within connected MCP servers. The severity of the impact depends on the capabilities exposed by the affected MCP servers and the scope of their stored OAuth credentials. A successful exploit could lead to unauthorized data exfiltration, modification of critical systems, or other malicious activities, potentially impacting a wide range of services integrated with Obot, and could affect any number of Obot users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Obot that addresses the authorization bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/mcp-connect/\u003c/code\u003e with unusual user agents or API keys, using the \u003ccode\u003eDetect Obot MCP Connect Authorization Bypass\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for MCP server registrations to limit the potential blast radius of a successful exploit.\u003c/li\u003e\n\u003cli\u003eReview and restrict the permissions granted to Obot\u0026rsquo;s stored OAuth credentials to minimize the impact of unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:36:01Z","date_published":"2026-05-13T15:36:01Z","id":"https://feed.craftedsignal.io/briefs/2026-05-obot-auth-bypass/","summary":"Obot version 0.21.0 has an authorization bypass vulnerability in the `/mcp-connect/{id}` endpoint allowing any authenticated user to connect to any registered MCP server, regardless of permissions, leading to unauthorized access and actions on upstream services.","title":"Obot Authorization Bypass in /mcp-connect/{id} Endpoint","url":"https://feed.craftedsignal.io/briefs/2026-05-obot-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Obot","version":"https://jsonfeed.org/version/1.1"}