Vendor

GitLab

1 brief RSS

GitLab MCP Server Unauthenticated Access via SSE Transport

The @yoda.digital/gitlab-mcp-server's SSE transport lacks authentication and uses wildcard CORS, enabling unauthenticated attackers to execute arbitrary GitLab API calls using the operator's GitLab PAT, including destructive operations.

@yoda.digital/gitlab-mcp-server gitlab auth-bypass sse cors vulnerability

2r 2t Jan 26, 2024