Primary

Context

samanhappy MCPHub Improper Authentication Vulnerability in SSE Service

Vulnerability

A vulnerability exists in samanhappy MCPHub versions through 0.9.10, specifically in the handleSseConnection function within src/services/sseService.ts. This issue allows users to forge identities and access the MCP without authentication. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized access and identity impersonation within the application.

Reproduction

To reproduce this vulnerability, send a GET request to the /admin/sse/test endpoint without an authorization header. The server will respond as if the request was authenticated, allowing access to the requested resource.

Added: Oct 5, 2025, 7:17 AM

Updated: Oct 5, 2025, 7:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.7

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.7

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

samanhappy MCPHub Improper Authentication Vulnerability in SSE Service

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating