Vendor
An unauthenticated vulnerability exists in netlicensing-mcp (version 0.1.5 and earlier) when operating in HTTP transport mode, where the ApiKeyMiddleware fails to enforce authentication for requests lacking a client API key, causing the application to fall back to the server's NETLICENSING_API_KEY environment variable for upstream calls, allowing an unauthenticated network attacker to invoke any MCP tool under the server operator's identity and account quota.