<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Meta - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/meta/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 18:51:28 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/meta/feed.xml" rel="self" type="application/rss+xml"/><item><title>meta-ads-mcp Authentication Bypass via X-Pipeboard-Token Header</title><link>https://feed.craftedsignal.io/briefs/2026-07-meta-ads-mcp-auth-bypass/</link><pubDate>Fri, 17 Jul 2026 18:51:28 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-meta-ads-mcp-auth-bypass/</guid><description>An authentication bypass vulnerability in `meta-ads-mcp` version 1.0.113 allows unauthenticated network callers to gain unauthorized access by sending an arbitrary value in the `X-Pipeboard-Token` HTTP header, leading to the reuse of the server operator's `META_ACCESS_TOKEN` for full read and write access to Meta Ads data.</description><content:encoded><![CDATA[<p>A critical authentication bypass vulnerability, identified in <code>meta-ads-mcp</code> version 1.0.113, enables unauthenticated attackers to gain privileged access to Meta Ads data. This flaw resides within the <code>AuthInjectionMiddleware</code> logic, which incorrectly handles the presence of the <code>X-Pipeboard-Token</code> HTTP header. If an attacker sends an HTTP POST request to the <code>/mcp</code> endpoint with any arbitrary value in this header, the middleware bypasses the authentication check. Consequently, the application's token retrieval mechanism falls back to using the server operator's <code>META_ACCESS_TOKEN</code> environment variable. This grants the attacker the ability to read and write all Meta Ads data accessible to the operator. This vulnerability specifically impacts deployments of <code>meta-ads-mcp</code> configured in <code>streamable-http</code> mode with the <code>META_ACCESS_TOKEN</code> environment variable set, which is a documented production setup.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker sends an HTTP POST request to the <code>/mcp</code> endpoint, including an <code>X-Pipeboard-Token</code> header with an arbitrary value.</li>
<li>The <code>AuthInjectionMiddleware</code> in <code>meta_ads_mcp/core/http_auth_integration.py</code> evaluates its guard condition (<code>if not auth_token and not pipeboard_token</code>). Because <code>auth_token</code> is <code>None</code> (as <code>X-Pipeboard-Token</code> is not recognized by <code>extract_token_from_headers()</code>) and <code>pipeboard_token</code> is truthy (due to the presence of <code>X-Pipeboard-Token</code>), the condition evaluates to <code>False</code>, bypassing the intended authentication check.</li>
<li>No proper authentication context is established for the incoming request within the application.</li>
<li>During subsequent processing, when an access token is required, the application's token getter (<code>http_auth_integration.py:163-168</code>) defaults to the original token accessor due to the lack of an <code>auth_token</code>.</li>
<li>The <code>auth.py</code> module (<code>auth.py:446-453</code>) retrieves the <code>META_ACCESS_TOKEN</code> from the server's environment variables.</li>
<li>This operator's <code>META_ACCESS_TOKEN</code> is then automatically injected into the <code>access_token</code> keyword argument for any invoked <code>meta_api_tool</code> (e.g., <code>api.py:390-396</code>).</li>
<li>The targeted tool, such as <code>accounts.py:42-62</code> (<code>get_ad_accounts</code>), makes an API call to the Meta Graph API using the operator's <code>META_ACCESS_TOKEN</code>.</li>
<li><code>httpx.AsyncClient</code> (<code>api.py:225-235</code>) sends a privileged HTTP request to the Meta Graph API, allowing the attacker to read and write Meta Ads data with the operator's permissions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this authentication bypass allows an unauthenticated network-reachable attacker to fully compromise the <code>meta-ads-mcp</code> instance. The attacker gains the ability to read all Meta Ads data (including ad accounts, campaigns, creatives, audiences, and insights) accessible to the server operator. Furthermore, the attacker can write and modify Meta Ads resources, such as creating or updating campaigns and budgets, effectively taking control of the operator's advertising accounts. There is also a risk of exfiltrating the operator's identity through Meta Graph API error responses that might reference the compromised token. This vulnerability directly affects operators using <code>meta-ads-mcp</code> in <code>streamable-http</code> mode with a configured <code>META_ACCESS_TOKEN</code>.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable comprehensive <code>webserver</code> logging that captures all HTTP request headers for all HTTP POST requests to the <code>/mcp</code> endpoint.</li>
<li>Review <code>webserver</code> logs for HTTP POST requests to the <code>/mcp</code> endpoint containing the <code>X-Pipeboard-Token</code> header, as this indicates an attempted authentication bypass.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>authentication-bypass</category><category>web-vulnerability</category><category>meta</category><category>python</category><category>cwe-287</category></item></channel></rss>