GHSA-647h-p824-99w7
@grackle-ai/mcp has a workspace authorization bypass in its knowledge_search MCP tool
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
@grackle-ai/mcpnpmDescription
Impact
The knowledge_search and knowledge_get_node MCP tools are included in SCOPED_TOOLS (visible to scoped agents) but their handlers do not receive authContext and do not enforce workspace scoping. A scoped agent in Workspace A can supply an arbitrary workspaceId parameter to search or retrieve knowledge graph nodes from Workspace B, bypassing workspace isolation boundaries.
This is a cross-workspace data leakage vulnerability affecting any deployment where multiple workspaces contain sensitive knowledge graph data and scoped agents are used.
Affected code:
packages/mcp/src/tools/knowledge.ts:146-169(knowledge_search handler)packages/mcp/src/tools/knowledge.ts:244-283(knowledge_get_node handler)packages/mcp/src/tool-scoping.ts:11(both tools listed in SCOPED_TOOLS)
Contrast with correct implementation: knowledge_create_node (same file, lines 334-357) properly receives authContext and overrides the user-supplied workspaceId for scoped callers.
Design Note
Cross-workspace knowledge sharing is a legitimate future feature — agents working across different repos may need to collaborate and share knowledge. However, this access should be opt-in with explicit grants, not an implicit bypass. The immediate fix locks scoped agents to their own workspace. A future design could introduce:
- Workspace-level "share knowledge with" settings
- A
cross_workspacescope on scoped tokens - Explicit
workspaceIds(plural) in the auth context
Patches
Fix: Add authContext parameter to knowledge_search and knowledge_get_node handlers and enforce workspace scoping, matching the pattern in knowledge_create_node:
const resolvedWorkspaceId =
authContext?.type === "scoped"
? authContext.workspaceId ?? ""
: workspaceId ?? "";
When cross-workspace collaboration is designed, this check can be relaxed intentionally with proper access controls.
Workarounds
Do not use scoped agent tokens in multi-workspace deployments until patched. Alternatively, remove knowledge_search and knowledge_get_node from the SCOPED_TOOLS set in tool-scoping.ts.
References
- CWE-284: Improper Access Control
- File:
packages/mcp/src/tools/knowledge.ts - File:
packages/mcp/src/tool-scoping.ts
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @grackle-ai/mcp | all versions | 0.70.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @grackle-ai/mcp. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @grackle-ai/mcp to 0.70.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-647h-p824-99w7 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-647h-p824-99w7 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-647h-p824-99w7. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-647h-p824-99w7 in your dependencies?
O3 detects GHSA-647h-p824-99w7 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.