Executive Summary

CVE-2026-50287 is a critical authentication bypass vulnerability in the @agenticmail/mcp npm package versions prior to 0.9.27. When the package is run in HTTP mode (using --http or MCP_HTTP=1), it exposes a Streamable HTTP transport on the /mcp endpoint without requiring any authentication.

This means a remote client can initialize a session and directly call tools, including those that should be restricted by the AGENTICMAIL_MASTER_KEY, such as administrative and gateway functions.

The vulnerability exists because the HTTP server does not check for an Authorization header, but still forwards master-key tool calls using the server's master key, allowing unauthenticated users to execute master-only operations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated remote attackers to perform unauthorized actions by invoking sensitive tools directly on the server.

• Unauthorized access to administrative functions such as setup_email_relay and setup_email_domain.
• Ability to delete or clean up agents using delete_agent and cleanup_agents tools.
• Sending test emails without authorization via the send_test_email tool.

Overall, this can lead to compromise of the email system's configuration and operations, potentially disrupting services or exposing sensitive information.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the @agenticmail/mcp package is running in HTTP mode (started with --http or MCP_HTTP=1) and if the /mcp endpoint is accessible without any HTTP authentication.

A practical way to detect this is to attempt an unauthenticated HTTP request to the /mcp endpoint on the server running the vulnerable package. If the endpoint responds and allows session initialization or tool invocation without authentication, the system is vulnerable.

Example command using curl to test the /mcp endpoint for unauthenticated access:

• curl -X POST http://<target-ip>:<port>/mcp -d '{"tool":"setup_guide"}' -H 'Content-Type: application/json'

If the response indicates that the tool was executed or a session was initialized without requiring authentication, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade the @agenticmail/mcp package to version 0.9.27 or later, where this vulnerability has been patched.
• If upgrading is not immediately possible, disable HTTP mode by not starting the package with --http or MCP_HTTP=1.
• Restrict network access to the MCP HTTP port by firewall rules or bind the server to localhost only, preventing remote unauthenticated access.
• Implement authentication requirements for accessing the /mcp endpoint to prevent unauthenticated tool invocation.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-50287 allows unauthenticated remote clients to access and execute administrative and gateway functions by bypassing authentication on the /mcp HTTP endpoint. This unauthorized access to sensitive tools and operations could lead to exposure or manipulation of sensitive data.

Such unauthorized access and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Therefore, this vulnerability poses a risk to maintaining compliance with these regulations until it is patched or mitigated.

Useful 0 Not Useful 0