Description
GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator's GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0.
Published: 2026-05-26
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the SSE transport of the GitLab MCP Server, which exposes an RPC endpoint without any authentication and sends a wildcard Access‑Control‑Allow‑Origin header on every response. The server binds to 0.0.0.0 by default, making the unauthenticated surface reachable from any network interface. The endpoint internally uses the operator’s GITLAB_PERSONAL_ACCESS_TOKEN, allowing any requester to issue mutation‑capable calls that can modify the connected GitLab instance. The likely attack vector is a client that can send crafted HTTP requests to the exposed SSE endpoint, potentially via a cross‑origin browser context or by directly connecting over TCP; the infrastructure does not enforce any inbound credential checks, so the attack does not require prior authentication.

Affected Systems

Any installation of yoda‑digital mcp‑gitlab‑server older than version 0.6.0 is affected. The vulnerability is present on all interfaces the server listens to, so any locally reachable or externally exposed host running a vulnerable instance is at risk.

Risk and Exploitability

With a CVSS score of 9.2 the issue is considered critical. The EPSS score is not available, but the absence of authentication combined with wildcard CORS makes exploitation straightforward for an attacker on the same network or able to forge cross‑origin requests. Although not yet listed in the CISA KEV catalog, the potential to inadvertently grant an attacker the operator’s GitLab personal access token elevates the severity, warranting top‑priority remediation.

Generated by OpenCVE AI on May 26, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to GitLab MCP Server version 0.6.0 or later, where the authentication layer is enforced and CORS is limited.
  • If an upgrade cannot be performed immediately, reconfigure the HTTP server to listen only on a trusted interface such as localhost or an internal subnet to block external access to the unauthenticated endpoint.
  • Modify the server configuration to reject all requests lacking a valid Authorization header and to replace the wildcard CORS header with one that restricts access to approved origins.

Generated by OpenCVE AI on May 26, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8jr5-6gvj-rfpf @yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools
History

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Yoda-digital
Yoda-digital mcp-gitlab-server
Vendors & Products Yoda-digital
Yoda-digital mcp-gitlab-server

Tue, 26 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator's GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0.
Title GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools
Weaknesses CWE-306
CWE-942
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Yoda-digital Mcp-gitlab-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T13:35:15.941Z

Reserved: 2026-05-07T21:50:33.546Z

Link: CVE-2026-44895

cve-icon Vulnrichment

Updated: 2026-05-27T13:35:11.743Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T22:16:42.730

Modified: 2026-06-17T10:51:29.837

Link: CVE-2026-44895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:08:20Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-942

    Permissive Cross-domain Security Policy with Untrusted Domains