Mcp

MCPHub is vulnerable to user identity spoofing on the MCP transport layer; an unauthenticated network user can impersonate any user, including administrators, on SSE/MCP endpoints by providing the target username in the URL path, which allows execution of MCP tool calls under a spoofed user's identity, access to user-scoped resources and data, and poisoning of audit logs.

Obot version 0.21.0 has an authorization bypass vulnerability in the `/mcp-connect/{id}` endpoint allowing any authenticated user to connect to any registered MCP server, regardless of permissions, leading to unauthorized access and actions on upstream services.

PraisonAI's MCP server is vulnerable to path traversal leading to arbitrary code execution by writing a Python `.pth` file into the user's site-packages directory, triggered via poisoned LLM contexts or unauthenticated HTTP-stream transports due to unvalidated kwargs in the dispatcher and lack of containment checks in file-handling tools.