{"uuid": "cd2adc8f-3e8a-4ba1-9ffb-030ef1305d01", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-63gr-g7jc-v8rg", "type": "seen", "source": "https://gist.github.com/alon710/64eb910b8e690847cdc9aafa60c45d51", "content": "# GHSA-63GR-G7JC-V8RG: GHSA-63GR-G7JC-V8RG: Missing Authentication in AgenticMail MCP HTTP Transport Layer\n\n&gt; **CVSS Score:** 9.8\n&gt; **Published:** 2026-06-01\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-63GR-G7JC-V8RG\n\n## Summary\nAn architectural flaw in the optional Streamable HTTP transport mode of @agenticmail/mcp allows unauthenticated remote network clients to execute administrative API commands. The server, holding the AGENTICMAIL_MASTER_KEY, functions as a confused deputy, letting attackers run privileged functions like deleting agents and establishing mail relays.\n\n## TL;DR\nUnauthenticated remote attackers can execute high-privilege administrative tools on @agenticmail/mcp servers running in HTTP mode because the /mcp endpoint lacks authentication checks and binds to all interfaces by default.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-306\n- **Attack Vector**: Network\n- **CVSS Score**: 9.8\n- **EPSS Score**: N/A (Requires CVE ID assignment)\n- **Impact**: Unauthenticated administrative tool execution\n- **Exploit Status**: Proof-of-Concept (PoC) available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- AgenticMail MCP Server HTTP Transport Layer\n- AgenticMail Command Line Interface (CLI)\n- AgenticMail ClaudeCode Integration\n- AgenticMail Codex Integration\n- **@agenticmail/mcp**: &lt; 0.9.27 (Fixed in: `0.9.27`)\n- **@agenticmail/cli**: &lt; 0.9.101 (Fixed in: `0.9.101`)\n- **@agenticmail/claudecode**: &lt; 0.2.32 (Fixed in: `0.2.32`)\n- **@agenticmail/codex**: &lt; 0.1.26 (Fixed in: `0.1.26`)\n\n## Mitigation\n\n- Disable HTTP mode entirely if not strictly required, relying on default Stdio transport instead.\n- Restrict network-level access to the port (default 8014) through firewalls and network access control lists (NACLs).\n- Ensure the local directory containing user tokens is secured with permissions restricting access to the process owner.\n\n**Remediation Steps:**\n1. Update @agenticmail/mcp to version 0.9.27 or higher.\n2. Force-update downsteam consumer tooling such as @agenticmail/cli to version 0.9.101, @agenticmail/claudecode to 0.2.32, and @agenticmail/codex to 0.1.26.\n3. Audit existing deployment scripts and process configuration managers to guarantee that the '--insecure' CLI parameter is not used.\n\n## References\n\n- [AgenticMail Advisory Record](https://github.com/agenticmail/agenticmail/security/advisories/GHSA-63gr-g7jc-v8rg)\n- [GitHub Advisory Database Entry](https://github.com/advisories/GHSA-63gr-g7jc-v8rg)\n- [Vulnerable Source File Link](https://github.com/agenticmail/agenticmail/blob/7b9b05d973676e9f3d097c08b8e649f59bfc15d0/packages/mcp/src/index.ts#L311)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-63GR-G7JC-V8RG) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-03T09:11:00.000000Z"}