EresusSecurity
Back to Advisories
GHSA-wf8q-wvv8-p8jfCriticalCVSS: 9.1

SSE Endpoint Accepts Arbitrary Username from URL Path, Enabling User Impersonation in MCPHub

Disclosed: 2026-04-16

Summary

Eresus Security identified a critical identity-spoofing issue in MCPHub versions <= 0.12.12. The user-scoped SSE route accepts a :user path parameter and constructs internal user context from that string without authenticating the caller or validating the referenced account.

As a result, an unauthenticated attacker can create SSE or MCP transport sessions under arbitrary usernames.

Affected Component

  • Package: mcphub (npm)
  • Affected versions: <= 0.12.12
  • Patched versions: none at the time of publication
  • Advisory: GHSA-wf8q-wvv8-p8jf

Root Cause

The vulnerable behavior resides in the SSE user-context middleware. Instead of resolving the user from a trusted identity source, the implementation reads req.params.user and fabricates a user object directly from that path value.

This means:

  • no authentication gate is enforced at the route boundary;
  • no database validation confirms the user exists;
  • the resulting session is treated as a legitimate contextualized user flow.

The design also relies on a singleton-style user context service, creating additional risk under concurrent usage when one connection may overwrite another user’s state.

Exploitation Pattern

An attacker connects to a URL such as:

  • /:user/sse/:group

and chooses any arbitrary username in the path. The server then:

  1. creates SSE transport state;
  2. associates the fabricated username with that state;
  3. returns a valid message endpoint;
  4. allows follow-up MCP traffic to proceed in the spoofed context.

Impact

The issue enables:

  • impersonation of arbitrary users;
  • abuse of user-scoped MCP or SSE flows;
  • polluted audit logs and reduced forensic integrity;
  • unauthorized access to servers or groups tied to user context.

Even when isAdmin is not set directly in the fabricated object, the mere ability to poison user identity at the transport layer is a major security failure for any multi-user AI system.

Mitigation Guidance

  1. Require authentication before any user-scoped SSE or MCP endpoint is reached.
  2. Resolve user identity from validated session or token material, never from a raw path parameter.
  3. Eliminate shared singleton user context for concurrent connections.
  4. Review SSE and MCP audit trails for spoofed or unexpected usernames.
  5. If bearer authentication is disabled, re-evaluate exposure immediately.

Detection Considerations

Monitor for:

  • unusual SSE connections containing unexpected usernames;
  • usernames that do not exist in the legitimate identity store;
  • message traffic tied to fabricated or inconsistent principals;
  • concurrency anomalies where one user’s actions appear in another user’s session context.

Credit

Reported by the Eresus Security Research Team.