Intel

AIKIDO-2026-925607

@zereight/mcp-gitlab is vulnerable to Authentication Bypass

Authentication BypassGHSA-5648-rgj9-v224 Published 3 days ago

81

High Risk

This Affects:

JS@zereight/mcp-gitlab
1.0.72 - 2.1.29
Fixed in 2.1.30
Are you affected? Scan for Free

TL;DR

The GitLab MCP server can be started with the Streamable HTTP transport while a server-side static GitLab credential (GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_JOB_TOKEN, a cookie path, or device-flow OAuth) is configured. In this mode the /mcp endpoint serves requests without enforcing any MCP-layer authorization, so any client that can reach the transport can invoke GitLab operations using the server's credentials at the token's privilege level. An earlier partial fix only gated static personal/job tokens, leaving cookie and OAuth credential modes unauthenticated. The fix adds a complete startup gate and a mandatory Streamable HTTP bearer token so unauthenticated network callers can no longer use the server's GitLab access.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you run the Streamable HTTP transport with a server-side GitLab credential without MCP-layer authorization enabled.

Background info

@zereight/mcp-gitlab is vulnerable to Authentication Bypass in versions 1.0.72 - 2.1.29.

How to fix this

Upgrade the @zereight/mcp-gitlab library to the patch version.