216.73.216.233

CVE-2026-44895

· Published 26/05/2026 22:16 · Modified 27/05/2026 14:16

Labels: CVE-2026-44895 2026-05-26CVE-2026-44895CWE-306[email protected]

Essential information

Published
26/05/2026 22:16
Modified
27/05/2026 14:16
Author
Creator
CVSS
9.2 CRITICAL (v3) 9.2 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator's GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
gitlab / gitlab mcp server cpe:2.3:a:gitlab:gitlab_mcp_server:<0.6.0:*:*:*:*:*:*:*

References