{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/workspace-isolation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@grackle-ai/mcp"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","data-leakage","workspace-isolation"],"_cs_type":"advisory","_cs_vendors":["Grackle AI"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@grackle-ai/mcp\u003c/code\u003e package, specifically versions 0.70.1 and earlier, contains a critical authorization bypass vulnerability within the \u003ccode\u003eknowledge_search\u003c/code\u003e and \u003ccode\u003eknowledge_get_node\u003c/code\u003e MCP tools. This vulnerability allows scoped agents operating within one workspace to circumvent intended isolation boundaries and access knowledge graph nodes residing in other workspaces. This is due to the \u003ccode\u003eknowledge_search\u003c/code\u003e and \u003ccode\u003eknowledge_get_node\u003c/code\u003e handlers failing to properly receive or enforce workspace scoping via the \u003ccode\u003eauthContext\u003c/code\u003e. This vulnerability poses a significant risk of cross-workspace data leakage in deployments where multiple workspaces contain sensitive knowledge graph data and scoped agents are utilized. The issue was reported on March 25, 2026, and is tracked as GHSA-647h-p824-99w7. Defenders should prioritize patching or implementing workarounds to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA scoped agent is deployed within Workspace A, possessing limited permissions within that workspace.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the presence of the \u003ccode\u003eknowledge_search\u003c/code\u003e and \u003ccode\u003eknowledge_get_node\u003c/code\u003e tools within the \u003ccode\u003eSCOPED_TOOLS\u003c/code\u003e set, indicating their accessibility to scoped agents.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to the \u003ccode\u003eknowledge_search\u003c/code\u003e or \u003ccode\u003eknowledge_get_node\u003c/code\u003e handler, supplying an arbitrary \u003ccode\u003eworkspaceId\u003c/code\u003e parameter corresponding to Workspace B.\u003c/li\u003e\n\u003cli\u003eDue to the missing \u003ccode\u003eauthContext\u003c/code\u003e and lack of workspace scoping enforcement in the handler, the request bypasses intended access controls.\u003c/li\u003e\n\u003cli\u003eThe handler retrieves knowledge graph nodes from Workspace B based on the attacker-supplied \u003ccode\u003eworkspaceId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe data from Workspace B is returned to the scoped agent in Workspace A.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive knowledge graph data residing in Workspace B.\u003c/li\u003e\n\u003cli\u003eThe attacker can exfiltrate or misuse the compromised data, leading to data leakage or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability results in cross-workspace data leakage, potentially exposing sensitive information stored in knowledge graphs across different workspaces. The number of affected deployments depends on the adoption rate of \u003ccode\u003e@grackle-ai/mcp\u003c/code\u003e with scoped agents and multi-workspace configurations. Successful exploitation can lead to unauthorized access to confidential data, impacting data privacy, compliance, and potentially causing reputational damage. The vulnerability affects any deployment where multiple workspaces contain sensitive knowledge graph data and scoped agents are used, putting organizations at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@grackle-ai/mcp\u003c/code\u003e to a patched version beyond 0.70.1 to address the authorization bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, remove \u003ccode\u003eknowledge_search\u003c/code\u003e and \u003ccode\u003eknowledge_get_node\u003c/code\u003e from the \u003ccode\u003eSCOPED_TOOLS\u003c/code\u003e set in \u003ccode\u003etool-scoping.ts\u003c/code\u003e to restrict access to these tools for scoped agents.\u003c/li\u003e\n\u003cli\u003eMonitor the usage of \u003ccode\u003eknowledge_search\u003c/code\u003e and \u003ccode\u003eknowledge_get_node\u003c/code\u003e handlers for requests originating from scoped agents, and alert on any attempts to access knowledge graph nodes from different workspaces.\u003c/li\u003e\n\u003cli\u003eIf scoped agents are not currently used in multi-workspace deployments, consider disabling them temporarily until the patch is applied.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-02-29T10:00:00Z","date_published":"2024-02-29T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-02-29-grackle-ai-mcp-auth-bypass/","summary":"The @grackle-ai/mcp package has a workspace authorization bypass vulnerability in its knowledge_search MCP tool that allows scoped agents to bypass workspace isolation and access knowledge graph nodes from other workspaces, leading to cross-workspace data leakage.","title":"@grackle-ai/mcp Workspace Authorization Bypass in knowledge_search MCP Tool","url":"https://feed.craftedsignal.io/briefs/2024-02-29-grackle-ai-mcp-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Workspace-Isolation","version":"https://jsonfeed.org/version/1.1"}