{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/jwt-bypass/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mcp-gateway (\u003c= 0.6.1)"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","authorization-bypass","jwt-bypass"],"_cs_type":"advisory","_cs_vendors":["Kuadrant"],"content_html":"\u003cp\u003eThe MCP router (ext_proc) in Kuadrant mcp-gateway versions 0.6.1 and earlier exposes an \u003ccode\u003einitialize\u003c/code\u003e method code path that allows for a critical authentication and authorization bypass. This vulnerability stems from the insufficient validation of the \u003ccode\u003emcp-init-host\u003c/code\u003e header when present in a request. The presence of this header, combined with a correct \u003ccode\u003erouter-key\u003c/code\u003e (either the hardcoded \u0026ldquo;secret-api-key\u0026rdquo; or a SHA-256 truncation of the \u003ccode\u003eMCPGatewayExtension\u003c/code\u003e UID), bypasses the gateway\u0026rsquo;s JWT session validator. This allows an attacker to rewrite the upstream \u003ccode\u003e:authority\u003c/code\u003e header to an arbitrary value, effectively impersonating any service. This bypasses both the broker\u0026rsquo;s \u003ccode\u003ex-mcp-authorized\u003c/code\u003e capability filter and the gateway\u0026rsquo;s JWT-based session model, granting unauthorized access to backend listeners registered with the gateway.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable mcp-gateway instance (version \u0026lt;= 0.6.1).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains the \u003ccode\u003erouter-key\u003c/code\u003e. This is either the default \u0026ldquo;secret-api-key\u0026rdquo; or, in controller-managed deployments, the SHA-256 truncation of the \u003ccode\u003eMCPGatewayExtension\u003c/code\u003e UID, which is accessible with \u003ccode\u003eget\u003c/code\u003e permissions or via the \u003ccode\u003e--mcp-router-key\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing the \u003ccode\u003emcp-init-host\u003c/code\u003e header and the correct \u003ccode\u003erouter-key\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003e:authority\u003c/code\u003e header within the crafted request to a desired, potentially sensitive, backend service.\u003c/li\u003e\n\u003cli\u003eThe MCP router, upon receiving the request with the \u003ccode\u003emcp-init-host\u003c/code\u003e and valid \u003ccode\u003erouter-key\u003c/code\u003e, bypasses the JWT session validator.\u003c/li\u003e\n\u003cli\u003eThe MCP router rewrites the upstream \u003ccode\u003e:authority\u003c/code\u003e header based on the attacker\u0026rsquo;s provided value.\u003c/li\u003e\n\u003cli\u003eThe request is forwarded to the targeted backend listener registered with the gateway.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the backend service, effectively bypassing authentication and authorization mechanisms.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to completely bypass authentication and authorization controls in the MCP gateway. This can lead to unauthorized access to sensitive backend services, data exfiltration, and other malicious activities. The critical nature of this vulnerability lies in its ability to grant complete control over the \u003ccode\u003e:authority\u003c/code\u003e header, which is a fundamental component of service identification and routing. If the default \u003ccode\u003erouter-key\u003c/code\u003e is in use, any internet-exposed mcp-gateway is trivially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Kuadrant mcp-gateway to a version greater than 0.6.1 to patch the vulnerability described in GHSA-g53w-w6mj-hrpp.\u003c/li\u003e\n\u003cli\u003eRotate the \u003ccode\u003eMCPGatewayExtension\u003c/code\u003e UID, if in use, to invalidate previously exposed \u003ccode\u003erouter-key\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect MCP Gateway Authentication Bypass Attempt\u0026rdquo; to detect attempts to exploit this vulnerability by monitoring for the presence of the \u003ccode\u003emcp-init-host\u003c/code\u003e header with the default \u003ccode\u003erouter-key\u003c/code\u003e value in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor MCPGatewayExtension resources for unauthorized access that could lead to router-key exposure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T19:43:15Z","date_published":"2026-05-19T19:43:15Z","id":"https://feed.craftedsignal.io/briefs/2026-05-mcp-gateway-auth-bypass/","summary":"The MCP router exposes an initialize method code path that bypasses the gateway JWT session validator and rewrites the upstream :authority header, gated only by a shared header value, allowing attackers to bypass authorization and access backend services.","title":"MCP Gateway Authority Injection and JWT/Session Bypass via Unauthenticated Router Hairpin","url":"https://feed.craftedsignal.io/briefs/2026-05-mcp-gateway-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Jwt-Bypass","version":"https://jsonfeed.org/version/1.1"}