CVE-2026-44895
Deferred Deferred - Pending Action
GitLab MCP Server Missing Authentication in HTTP Transport

Publication date: 2026-05-26

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator's GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-44895
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gitlab mcp_server to 0.6.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in GitLab MCP Server versions prior to 0.6.0. The HTTP transport component in the source code (src/transport.ts) lacks any authentication layer and uses a wildcard Access-Control-Allow-Origin: * header on every response. This means that the server exposes a stateful, mutation-capable RPC endpoint that uses the operator's GitLab personal access token without verifying inbound credentials. Additionally, the server listens on all network interfaces (0.0.0.0) without restricting access. As a result, any cross-origin browser context can access this endpoint, potentially allowing unauthorized actions using the operator's credentials.

Impact Analysis

The vulnerability can lead to unauthorized access and control over the GitLab MCP Server because the RPC endpoint is exposed without authentication and accessible from any origin. An attacker could exploit this to perform mutations or actions on behalf of the operator using their personal access token, potentially leading to data manipulation, unauthorized changes, or compromise of the GitLab environment.

Mitigation Strategies

The vulnerability is fixed in GitLab MCP Server version 0.6.0. Immediate mitigation involves upgrading the GitLab MCP Server to version 0.6.0 or later.

Prior to upgrading, be aware that the vulnerable versions expose an unauthenticated RPC endpoint bound to all interfaces (0.0.0.0) with a wildcard Access-Control-Allow-Origin header, which allows cross-origin access without credential checks.

  • Upgrade GitLab MCP Server to version 0.6.0 or later.
  • Restrict network access to the server to trusted hosts only, to limit exposure.
  • Avoid exposing the vulnerable service to public or untrusted networks until patched.
Compliance Impact

The vulnerability allows unauthenticated access to a stateful, mutation-capable RPC endpoint backed by an operator's personal access token, exposed on every network interface with a wildcard CORS policy. This could lead to unauthorized access and potential data breaches.

Such unauthorized access and exposure of sensitive tokens could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Detection Guidance

This vulnerability can be detected by checking if the GitLab MCP Server is running a version prior to 0.6.0 and if it exposes the SSE transport endpoints without authentication and with permissive CORS headers.

You can scan your network or system for the presence of the vulnerable server by probing for open HTTP endpoints bound to all interfaces (0.0.0.0) that respond to requests on paths such as /sse or /messages?sessionId=...

  • Use curl or similar tools to send requests to the suspected server endpoints and observe if responses include the header Access-Control-Allow-Origin: * indicating wildcard CORS.
  • Example command to check the CORS header on the /sse endpoint: curl -i http://<server-ip>:<port>/sse
  • Example command to check the /messages endpoint with a sessionId parameter: curl -i "http://<server-ip>:<port>/messages?sessionId=test"

If these endpoints respond without requiring authentication and include the wildcard CORS header, the system is likely vulnerable.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44895. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart