GHSA-63GR-G7JC-V8RG: GHSA-63GR-G7JC-V8RG: Missing Authentication in AgenticMail MCP HTTP Transport Layer

GHSA-63GR-G7JC-V8RG: Missing Authentication in AgenticMail MCP HTTP Transport Layer

Vulnerability ID: GHSA-63GR-G7JC-V8RG
CVSS Score: 9.8
Published: 2026-06-01

An architectural flaw in the optional Streamable HTTP transport mode of @agenticmail/mcp allows unauthenticated remote network clients to execute administrative API commands. The server, holding the AGENTICMAIL_MASTER_KEY, functions as a confused deputy, letting attackers run privileged functions like deleting agents and establishing mail relays.

TL;DR

Unauthenticated remote attackers can execute high-privilege administrative tools on @agenticmail/mcp servers running in HTTP mode because the /mcp endpoint lacks authentication checks and binds to all interfaces by default.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-306
• Attack Vector: Network
• CVSS Score: 9.8
• EPSS Score: N/A (Requires CVE ID assignment)
• Impact: Unauthenticated administrative tool execution
• Exploit Status: Proof-of-Concept (PoC) available
• KEV Status: Not Listed

Affected Systems

• AgenticMail MCP Server HTTP Transport Layer
• AgenticMail Command Line Interface (CLI)
• AgenticMail ClaudeCode Integration
• AgenticMail Codex Integration
• @agenticmail/mcp: < 0.9.27 (Fixed in: 0.9.27)
• @agenticmail/cli: < 0.9.101 (Fixed in: 0.9.101)
• @agenticmail/claudecode: < 0.2.32 (Fixed in: 0.2.32)
• @agenticmail/codex: < 0.1.26 (Fixed in: 0.1.26)

Code Analysis

Commit: 7d1791d

Fix missing authorization on the MCP HTTP transport layer by adding timing-safe token validation and local minting.

Commit: 7b9b05d

Update CHANGELOG document in workspace root detailing security patch releases for 0.9.101 and companion server versions.

Exploit Details

• GitHub Security Advisory (GHSA-63GR-G7JC-V8RG): Functional python reproduction PoC demonstrating how to bypass authentication parameters to initialize sessions and extract tool registration data.

Mitigation Strategies

• Disable HTTP mode entirely if not strictly required, relying on default Stdio transport instead.
• Restrict network-level access to the port (default 8014) through firewalls and network access control lists (NACLs).
• Ensure the local directory containing user tokens is secured with permissions restricting access to the process owner.

Remediation Steps:

1. Update @agenticmail/mcp to version 0.9.27 or higher.
2. Force-update downsteam consumer tooling such as @agenticmail/cli to version 0.9.101, @agenticmail/claudecode to 0.2.32, and @agenticmail/codex to 0.1.26.
3. Audit existing deployment scripts and process configuration managers to guarantee that the '--insecure' CLI parameter is not used.

References

• AgenticMail Advisory Record
• GitHub Advisory Database Entry
• Vulnerable Source File Link

---

Read the full report for GHSA-63GR-G7JC-V8RG on our website for more details including interactive diagrams and full exploit analysis.