Attack Chain

1. An attacker identifies a target MCP server ID.
2. The attacker authenticates to Obot with a basic user account.
3. The attacker crafts a malicious POST request to /mcp-connect/<mcp_server_id>.
4. The request includes a valid Obot session cookie or API key in the Authorization header.
5. The request body contains a JSON-RPC payload to list available tools on the MCP server: {"jsonrpc":"2.0","id":1,"method":"tools/list"}.
6. The attacker observes a successful response, confirming access to the MCP server’s tools, bypassing intended access controls.
7. The attacker crafts a subsequent JSON-RPC request to call a sensitive tool: {"jsonrpc":"2.0","id":2,"method":"tools/call", "params":{"name":"<sensitive_tool>","arguments":{...}}}.
8. The attacker executes the tool call successfully, gaining access to data and functionality normally restricted to authorized users, leveraging the MCP server’s OAuth credentials.

Impact

This vulnerability allows unauthorized users to access and manipulate sensitive data within connected MCP servers. The severity of the impact depends on the capabilities exposed by the affected MCP servers and the scope of their stored OAuth credentials. A successful exploit could lead to unauthorized data exfiltration, modification of critical systems, or other malicious activities, potentially impacting a wide range of services integrated with Obot, and could affect any number of Obot users.

Recommendation

• Upgrade to a patched version of Obot that addresses the authorization bypass vulnerability.
• Monitor web server logs for POST requests to /mcp-connect/ with unusual user agents or API keys, using the Detect Obot MCP Connect Authorization Bypass Sigma rule.
• Implement strict access control policies for MCP server registrations to limit the potential blast radius of a successful exploit.
• Review and restrict the permissions granted to Obot’s stored OAuth credentials to minimize the impact of unauthorized access.