CVE 9.2 CRITICAL

GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools_CVE-2026-44895

May 26, 2026 invoker category_cve
9.2 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Description

GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator's GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0.

AI Analysis

The GitLab MCP Server has a vulnerability where the HTTP transport has no authentication layer and a wildcard Access-Control-Allow-Origin, allowing unauthorized access to GitLab tools.

Basic Information

ID CVE-2026-44895
Source GitHub_M
Published May 26, 2026 at 21:08

Affected Product

Vendor yoda-digital
Product mcp-gitlab-server
Version < 0.6.0
Affected Versions yoda-digital mcp-gitlab-server < 0.6.0

CWE Classification

CWE-306 CWE-942

AI Assessment

AI Score 9.2 / 10
AI Severity Critical
Vendor yoda-digital
Product mcp-gitlab-server
Version < 0.6.0

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.