GitLab MCP Server Wildcard CORS Vulnerability Allowing Unauthenticated Access to GitLab Tools

A vulnerability in GitLab MCP Server versions prior to 0.6.0 allows an AI agent to interact directly with GitLab without authentication. The issue arises because the HTTP transport in 'src/transport.ts' is shipped with no authentication layer and a wildcard 'Access-Control-Allow-Origin: *' on every response. This exposes a stateful, mutation-capable RPC endpoint that uses the operator's GitLab Personal Access Token (PAT) without any inbound credential check. The vulnerability is further exacerbated by the HTTP server binding to '0.0.0.0', exposing the unauthenticated endpoint on all interfaces. As a result, any cross-origin browser context can access the GitLab API tools, including destructive operations, using the operator's PAT.

Impact

Exploitation of this vulnerability allows unauthenticated access to all GitLab tools exposed by the server, using the operator's GitLab Personal Access Token. This includes destructive operations such as deleting repositories or groups, as well as other actions like pushing files or creating merge requests.

Reproduction

To reproduce this vulnerability, set 'USE_SSE=true' and start the GitLab MCP server. The server will listen on all interfaces without authentication, exposing the '/sse' and '/messages?sessionId=<id>' endpoints. The '/sse' endpoint can be accessed to open a server-sent events (SSE) connection, which returns a session endpoint URL. This URL can then be used to send MCP messages to the server, accessing GitLab tools via the operator's PAT. The wildcard CORS allows this exploitation from any cross-origin web page.

Remediation

Users should update to GitLab MCP Server version 0.6.0 or later, where this vulnerability is fixed.