CVE-2025-13822 PUBLISHED

Authentication bypass in MCPHub

Assigner: CERT-PL
Reserved: 01.12.2025 Published: 14.04.2026 Updated: 14.04.2026

MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3

Product Status

Vendor MCPHub
Product MCPHub
Versions Default: unaffected
  • affected from 0 to 0.11.0 (excl.)

Credits

  • Eryk Winiarz finder

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE

Impacts

  • CAPEC-233 Privilege Escalation