Intelligence
criticalVulnerabilityActive

Meta Ads MCP: Unauthenticated HTTP Middleware Bypass Exposes Operator Credentials via Error Serialization

AuthInjectionMiddleware fails to enforce authentication, allowing unauthenticated callers to invoke MCP tools and trigger error responses that leak the operator's Meta access token as a query parameter in JSON-RPC responses.

S
Sebastion

CVE References

CVE-2026-48039

Affected

pipeboard-co/meta-ads-mcp (≤1.0.101)

Vulnerability Description

Root Cause: The AuthInjectionMiddleware.dispatch() function at http_auth_integration.py:272 unconditionally forwards HTTP requests to downstream MCP tool handlers without validating authentication credentials. The middleware logs a warning when no auth tokens are detected but proceeds anyway, bypassing the intended 401 Unauthorized response. This is a classic CWE-287: Improper Authentication defect where access control decisions are either missing or incorrectly implemented. The vulnerability is compounded by a secondary flaw: when downstream Meta Graph API calls fail and no per-request credential exists, the handler falls back to the META_ACCESS_TOKEN environment variable. Upon API failure, error handling code at api.py:263–269 serializes the full httpx request URL into the JSON-RPC response body, inadvertently including the access token as a query parameter.

PoC Significance

This disclosure demonstrates a two-stage credential exfiltration chain: (1) authentication bypass via middleware logic failure, and (2) information disclosure via unsafe error serialization. The PoC proves that any network-reachable caller can invoke protected MCP tools without credentials. The attack has low preconditions—no special payloads or timing attacks are required—and is reliable because it depends only on the presence of the META_ACCESS_TOKEN environment variable and the predictability of API failures (which can be triggered by malformed requests). The operator's Meta access token is leaked in plaintext within JSON-RPC error responses, giving attackers direct API access to Meta Ads accounts.

Detection Guidance

Log Indicators:

  • HTTP requests to MCP tool endpoints lacking Authorization or X-Pipeboard-Token headers
  • Middleware warnings logged by AuthInjectionMiddleware ("No authentication tokens found in headers")
  • JSON-RPC responses containing httpx request URLs with access_token= query parameters
  • Unusual patterns of tool invocations from unexpected source IPs or user agents

Network Signatures:

  • Requests to /mcp/tools/* endpoints without auth headers followed by error responses containing access_token=
  • Outbound Meta Graph API calls originating from unauthenticated internal MCP handlers

YARA-style indicators: Search application logs and error response dumps for regex pattern access_token=[a-zA-Z0-9_-]{20,} in JSON-RPC response bodies.

Mitigation Steps

  1. Immediate Workarounds:

    • Restrict network access to the MCP server using firewall rules or network segmentation
    • Rotate the META_ACCESS_TOKEN credential immediately and audit all recent token usage
    • Disable the HTTP MCP interface if not required; use only authenticated transports

  2. Patch Implementation:

    • Upgrade to version ≥1.0.102 (with caveats: versions 1.0.102–1.0.105 lack git tags, so patch verification is recommended)
    • Verify the fix enforces early 401 Unauthorized returns when no auth credentials are present
    • Ensure error handling does not serialize sensitive query parameters into response bodies

  3. Code Review:

    • Modify AuthInjectionMiddleware.dispatch() to raise an exception or return 401 before calling call_next(request)
    • Sanitize error responses to exclude raw request URLs and credentials
    • Implement structured error logging that does not leak environment variables

Risk Assessment

Likelihood of Exploitation: High. The attack surface is broad—any network-reachable MCP instance is vulnerable—and exploitation requires no sophistication. Threat actors scanning for exposed MCP servers will find this trivial to exploit. The credential leak is deterministic and does not depend on race conditions or complex triggers.

Threat Actor Interest: Critical infrastructure targeting and SaaS hijacking. Attackers gaining Meta access tokens can impersonate the operator, modify ad campaigns, access customer data, and establish persistence. This is a high-value target for financially motivated and state-sponsored actors.

Wild Deployment Risk: Organizations running meta-ads-mcp ≤1.0.101 without egress filtering or network isolation are likely already compromised if the server is internet-facing or accessible from untrusted networks.

Sources

pocauthentication-bypasscredential-leakmiddlewaremcpmeta-adscwe-287
Back to intelligence