The vulnerability allows anyone who can reach the service to call the /mcp endpoint without any form of authentication. Because the endpoint gives direct access to internal tools, a remote attacker can trigger arbitrary commands or functions, effectively taking control over the system’s behavior. This is a classic authentication bypass leading to unauthorized execution of privileged actions. The weakness is identified as CWE-306, Authentication Bypass. The impact is therefore a potential compromise of confidentiality, integrity, and availability depending on which tools are exposed.

AgenticMail’s @agenticmail/mcp component, part of the agenticmail vendor, is affected in all releases prior to 0.9.27. In those versions the component launches a streamable HTTP listener when started with the --http flag or the MCP_HTTP environment variable set to 1, exposing the /mcp interface to unauthenticated traffic. Users running older releases on publicly reachable networks expose this weakness.

The CVSS score of 8.7 indicates a high severity with the possibility of complete takeover if the endpoint is reachable. The EPSS score of < 1% suggests that, at the moment of analysis, the probability of exploitation is very low but not zero, possibly due to limited visibility or niche exposure. The vulnerability is not listed in the CISA KEV catalog, meaning no known organized exploitation campaigns are tracked yet. An attacker would need network access to the HTTP transport, which is often exposed to the internet or an internal network, and would then send a simple request to the /mcp endpoint to initiate tool usage.