GHSA-vw82-7fv8-r6gp
CRITICALObot has an authorization bypass in /mcp-connect/{id} that allows any authenticated user to use any registered MCP server
Blast Radius
github.com/obot-platform/obotReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Summary
If you have the MCP Server ID, you can connect to the MCP server even if you don't have permissions to the server.
The MCP gateway endpoint /mcp-connect/{mcp_id} does not enforce Access Control Rules (ACRs). Any authenticated Obot user who possesses an MCP Server ID can connect to that server through the gateway — including making tool calls — regardless of whether they are a member of any MCP Registry that grants access to the server.
In practice this means any User can fully use MCP servers that the administrator believed were restricted to specific groups.
Severity
Reporter estimate: Critical.
| CVSS 3.1 metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (authenticated Obot user, any role ≥ Basic) |
| User Interaction | None |
| Scope | Changed (Obot authorization bypass enables access to data and operations on an upstream third-party service via Obot's stored OAuth credentials) |
| Confidentiality | High |
| Integrity | High (many MCP servers expose write tools — e.g. updateEmployee, submitTimeoffRequest, ticket creation, file writes) |
| Availability | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
| Score | 9.3 / Critical |
The upstream impact depends on which MCP servers are deployed and what scope their stored credentials hold; the bound is "everything the platform's stored OAuth/API credentials can reach."
Affected Versions
Confirmed on obot v0.21.0.
Vulnerability Details
The intended flow is that a user's authorization is checked during the OAuth process with Obot.
- The user connects to an MCP URL through Obot.
- During the callback, after the user logs into Obot, Obot checks that the user has access to the provided resource (the
/mcp-connectURL in this case). Obot correctly determines the user's authorization during this flow. - However, another authorization check (the UI authorizer, in this case) was erroneously providing access.
Reproduction
Tested on obot v0.21.0.
Setup:
- Configure a multi-user MCP server connected to a sensitive backend — e.g. an HR system, ticketing system, or any service whose stored OAuth token grants broad read/write access. Note its ID.
- Create an MCP Registry / Access Control Rule that grants this server only to a small group (e.g. two HR employees). Remove the
everyonegroup from the relevant rule. - Create or identify a Basic User who is not a member of any registry granting access to this server.
Exploit:
-
Sign in as the Basic User.
-
Verify the UI does not list the server in any connector picker (it does not — that path is correctly gated).
-
Manually craft and call the gateway URL:
POST https://<obot>/mcp-connect/<mcp_server_id> Authorization: <session cookie or API key> Content-Type: application/json {"jsonrpc":"2.0","id":1,"method":"tools/list"} -
Observe a successful response listing the server's tools.
-
Issue an actual tool call:
{"jsonrpc":"2.0","id":2,"method":"tools/call",
"params":{"name":"<sensitive_tool>","arguments":{...}}}
- Observe the call succeeds, returning data scoped only by the upstream MCP server's OAuth credentials — not by Obot's ACRs.
The exploit works equally well via Claude Desktop / Claude Code / any MCP-aware client by configuring the gateway URL as a remote MCP endpoint with the user's API key.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/obot-platform/obot | all versions | 0.21.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/obot-platform/obot. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/obot-platform/obot to 0.21.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-vw82-7fv8-r6gp is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-vw82-7fv8-r6gp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-vw82-7fv8-r6gp. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-vw82-7fv8-r6gp in your dependencies?
O3 detects GHSA-vw82-7fv8-r6gp across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.