Security vulnerabilities in popular MCP servers (auth bypass, RCE, API keys)

old.reddit.com · politelemon · 1 day ago · view on HN · vulnerability
quality 9/10 · excellent
0 net
Tags
mcp security-vulnerabilities server
Entities
CVE-2026-4747
One POST request, six API keys: breaking into popular MCP servers : netsec jump to content my subreddits edit subscriptions popular - all - users | AskReddit - pics - funny - movies - worldnews - news - todayilearned - nottheonion - explainlikeimfive - mildlyinteresting - DIY - videos - OldSchoolCool - europe - TwoXChromosomes - tifu - Music - books - LifeProTips - dataisbeautiful - aww - science - space - Showerthoughts - askscience - Jokes - Art - IAmA - Futurology - sports - UpliftingNews - food - nosleep - creepy - history - gifs - InternetIsBeautiful - GetMotivated - gadgets - announcements - de_IAmA - WritingPrompts - philosophy - Documentaries - Austria - EarthPorn - photoshopbattles - listentothis - blog more » reddit.com netsec comments other discussions (1) Want to join? Log in or sign up in seconds. limit my search to r/netsec use the following search parameters to narrow your results: subreddit: subreddit find submissions in "subreddit" author: username find submissions by "username" site: example.com find submissions from "example.com" url: text search for "text" in url selftext: text search for "text" in self post contents self:yes (or self:no) include (or exclude) self posts nsfw:yes (or nsfw:no) include (or exclude) results marked as NSFW e.g. subreddit:aww site:imgur.com dog see the search faq for details. advanced search: by author, subreddit... this post was submitted on 30 Mar 2026 55 points (89% upvoted) shortlink: Submit Link netsec join leave A community for technical news and discussion of information security and closely related topics. "Give me root, it's a trust exercise." Featured Posts Q1 2026 InfoSec Hiring Thread Getting Started in Information Security CitySec Meetups Content Guidelines /r/netsec only accepts quality technical posts. Non-technical posts are subject to moderation. Content should focus on the "how." Check the new queue for duplicates. Always link to the original source. Titles should provide context. Ask questions in our Discussion Threads. Hiring posts must go in the Hiring Threads. Commercial advertisement is discouraged. Do not submit prohibited topics . » Our fulltext content guidelines Discussion Guidelines Don't create unnecessary conflict. Keep the discussion on topic. Limit the use of jokes & memes. Don't complain about content being a PDF. Follow all reddit rules and obey reddiquette . » Our fulltext discussion guidelines Prohibited Topics & Sources No populist news articles (CNN, BBC, FOX, etc.) No curated lists. No question posts. No social media posts. No image-only/video-only posts. No livestreams. No tech-support requests. No full-disclosure posts. No paywall/regwall content. No commercial advertisements. No crowdfunding posts. No Personally Identifying Information! » Our fulltext list of prohibited topics & sources Social Join us on IRC: #r_netsec on freenode We're also on: Twitter , Facebook , & Google + Related Reddits /r/blackhat - Hackers on Steroids /r/computerforensics - IR Archaeologists /r/crypto - Cryptography news and discussion /r/Cyberpunk - High-Tech Low-Lifes /r/lockpicking - Popular Hacker Hobby /r/Malware - Malware reports and information /r/netsecstudents - netsec for noobs students /r/onions - Things That Make You Cry /r/privacy - Orwell Was Right /r/pwned - "What Security?" /r/REMath - Math behind reverse engineering /r/ReverseEngineering - Binary Reversing /r/rootkit - Software and hardware rootkits /r/securityCTF - CTF news and write-ups /r/SocialEngineering - Free Candy /r/sysadmin - Overworked Crushed Souls /r/vrd - Vulnerability Research and Development /r/xss - Cross Site Scripting Thanks for flying air /r/netsec || CISO AMA w/ Michael Coates & Rich Mason a community for 18 years MODERATORS message the mods 9 · 15 comments /r/netsec's Q1 2026 Information Security Hiring Thread · 1 comment r/netsec monthly discussion & tool thread 97 · 6 comments PSA: That 'Disable NTLMv1' GPO you set years ago? It’s lying to you. LmCompatibilityLevel set to 5 is not enough. 40 · 6 comments MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747) AI-Generated Calendar Event Phishing w/ Dynamic Landing Pages 16 Lesser-Known Military College Triumphs in Pentagon Student Hacking Contest 104 · 13 comments Axios npm package compromised in supply chain attack. Downloads malware dropper package 10 · 4 comments ImageMagick: From Arbitrary File Read to File Write In Every Policy (ZeroDay) 16 Common Entra ID Security Assessment Findings – Part 2: Privileged Unprotected Groups 11 · 2 comments Introducing the Rootkit Techniques Matrix and updates to the Guide Welcome to Reddit, the front page of the internet. Become a Redditor and join one of thousands of communities. × 54 55 56 One POST request, six API keys: breaking into popular MCP servers ( agentseal.org ) submitted 1 day ago by Kind-Release-3817 tl;dr - one POST request decrypted every API key in a 14K-star project. tested 5 more MCP servers, found RCE, SSRF, prompt injection, and command injection. 70K combined github stars, zero auth on most of them. archon (13.7K stars): zero auth on entire credential API. one POST to /api/credentials/status-check returns every stored API key decrypted in plaintext. can also create and delete credentials. CORS is * , server binds 0.0.0.0 blender-mcp (18K stars): prompt injection hidden in tool docstrings. the server instructs the AI to "silently remember" your API key type without telling you. also unsandboxed exec() for code execution claude-flow (27K stars): hardcoded --dangerously-skip permissions on every spawned claude process. 6 execSync calls with unsanitized string interpolation. textbook command injection deep-research (4.5K stars): MD5 auth bypass on crawler endpoint (empty password = trivial to compute). once past that, full SSRF - no URL validation at all. also promptOverrides lets you replace the system prompt, and CORS is * mcp-feedback-enhanced (3.6K stars): unauthenticated websocket accepts run_command messages. got env vars, ssh keys, aws creds. weak command blocklist bypassable with python3 -c figma-console-mcp (1.3K stars, 71K weekly npm downloads): readFileSync on user-controlled paths, directory traversal, websocket accepts connections with no origin header, any local process can register as a fake figma plugin and intercept all AI commands all tested against real published packages, no modified code. exploit scripts and evidence logs linked in the post. the common theme: MCP has no auth standard so most servers just ship without any. 7 comments share save hide report all 7 comments sorted by: best top new controversial old random q&a live (beta) Want to add to the discussion? Post a comment! Create an account [–] Kind-Release-3817 [ S ] 11 points 12 points 13 points 1 day ago (0 children) disclosure: all maintainers were notified via github issues before publishing. - archon: coleam00/archon#944 - blender-mcp: ahujasid/blender-mcp#214 - deep-research: u14app/deep-research#153 - mcp-feedback-enhanced: minidoracat/mcp-feedback-enhanced#219 - figma-console-mcp: southleft/figma-console-mcp#59 permalink embed save report reply [–] Looz-Ashae 3 points 4 points 5 points 1 day ago (1 child) Lol permalink embed save report reply [–] Kind-Release-3817 [ S ] 2 points 3 points 4 points 1 day ago (0 children) yeah, the "no auth by design" thing keeps coming up. we have now filed issues on 15 repos -- the responses range from "we know" to radio silence permalink embed save parent report reply [–] Mrhiddenlotus 0 points 1 point 2 points 1 day ago (0 children) Yay another one of these posts permalink embed save report reply [–] Radius314 1 point 2 points 3 points 22 hours ago (0 children) This is exactly the Zero Trust problem at the agent layer. MCP servers are the new service accounts — they hold credentials and have broad scope. The findings (CORS *, 0.0.0.0 binding, plaintext key exfiltration) are the same mistakes we made 15 years ago on the network perimeter. Agents need privilege boundaries and continuous auth, not static credentials in memory. Before The Commit covers this as LLM governance — treat MCP like an untrusted microservice. permalink embed save report reply about blog about advertising careers help site rules Reddit help center reddiquette mod guidelines contact us apps & tools Reddit for iPhone Reddit for Android mobile website <3 reddit premium Use of this site constitutes acceptance of our User Agreement and Privacy Policy . © 2026 reddit inc. All rights reserved. REDDIT and the ALIEN Logo are registered trademarks of reddit inc. Advertise - technology π Rendered by PID 55 on reddit-service-r2-loggedout-786cbfc564-m2bvx at 2026-04-01 14:13:46.742592+00:00 running b10466c country code: AT.
← Back to stories