6.5
/ 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Description
Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication (AUTH_USERNAME/AUTH_PASSWORD), is reachable unauthenticated at /mcp because the nginx front-end does not apply the auth_request gate to that path and the MCP server auto-mints a valid internal session token for the configured user. A remote unauthenticated attacker can invoke MCP tools such as generate_presentation, performing authenticated application actions, consuming the operators configured LLM API keys, and creating presentations in the operators instance. The Electron desktop build is not affected (MCP disabled).
Basic Information
ID
CVE-2026-58446
Source
VulnCheck
Published
Jun 30, 2026 at 21:05
Affected Product
Vendor
presenton
Product
presenton
Affected Versions
presenton presenton 0
CWE Classification
References
- github.com /presenton/presenton/releases/tag/electron-v0.8.8-beta
- github.com /presenton/presenton/issues/678
- github.com /presenton/presenton/pull/679
- github.com /presenton/presenton/commit/a1103dcef3c761cc8bab44e2862c81a49969abd7
- www.vulncheck.com /advisories/presenton-beta-authentication-bypass-of-session-auth-via-unprotected-mcp-endpoint