{"url":"http://public2.vulnerablecode.io/api/packages/977768?format=json","purl":"pkg:npm/%40grackle-ai/mcp@0.23.0","type":"npm","namespace":"@grackle-ai","name":"mcp","version":"0.23.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.70.2","latest_non_vulnerable_version":"0.70.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360187?format=json","vulnerability_id":"VCID-6wvj-hzcn-gfan","summary":"@grackle-ai/mcp has a workspace authorization bypass in its knowledge_search MCP tool\n### Impact\n\nThe `knowledge_search` and `knowledge_get_node` MCP tools are included in `SCOPED_TOOLS` (visible to scoped agents) but their handlers do not receive `authContext` and do not enforce workspace scoping. A scoped agent in Workspace A can supply an arbitrary `workspaceId` parameter to search or retrieve knowledge graph nodes from Workspace B, bypassing workspace isolation boundaries.\n\nThis is a **cross-workspace data leakage** vulnerability affecting any deployment where multiple workspaces contain sensitive knowledge graph data and scoped agents are used.\n\n**Affected code:**\n- `packages/mcp/src/tools/knowledge.ts:146-169` (knowledge_search handler)\n- `packages/mcp/src/tools/knowledge.ts:244-283` (knowledge_get_node handler)\n- `packages/mcp/src/tool-scoping.ts:11` (both tools listed in SCOPED_TOOLS)\n\n**Contrast with correct implementation:** `knowledge_create_node` (same file, lines 334-357) properly receives `authContext` and overrides the user-supplied `workspaceId` for scoped callers.\n\n### Design Note\n\nCross-workspace knowledge sharing is a legitimate future feature — agents working across different repos may need to collaborate and share knowledge. However, this access should be **opt-in with explicit grants**, not an implicit bypass. The immediate fix locks scoped agents to their own workspace. A future design could introduce:\n- Workspace-level \"share knowledge with\" settings\n- A `cross_workspace` scope on scoped tokens\n- Explicit `workspaceIds` (plural) in the auth context\n\n### Patches\n\n**Fix:** Add `authContext` parameter to `knowledge_search` and `knowledge_get_node` handlers and enforce workspace scoping, matching the pattern in `knowledge_create_node`:\n```typescript\nconst resolvedWorkspaceId =\n  authContext?.type === \"scoped\"\n    ? authContext.workspaceId ?? \"\"\n    : workspaceId ?? \"\";\n```\n\nWhen cross-workspace collaboration is designed, this check can be relaxed intentionally with proper access controls.\n\n### Workarounds\n\nDo not use scoped agent tokens in multi-workspace deployments until patched. Alternatively, remove `knowledge_search` and `knowledge_get_node` from the `SCOPED_TOOLS` set in `tool-scoping.ts`.\n\n### References\n\n- CWE-284: Improper Access Control\n- File: `packages/mcp/src/tools/knowledge.ts`\n- File: `packages/mcp/src/tool-scoping.ts`","references":[{"reference_url":"https://github.com/nick-pape/grackle","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nick-pape/grackle"},{"reference_url":"https://github.com/nick-pape/grackle/security/advisories/GHSA-647h-p824-99w7","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nick-pape/grackle/security/advisories/GHSA-647h-p824-99w7"},{"reference_url":"https://github.com/advisories/GHSA-647h-p824-99w7","reference_id":"GHSA-647h-p824-99w7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-647h-p824-99w7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375243?format=json","purl":"pkg:npm/%40grackle-ai/mcp@0.70.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540grackle-ai/mcp@0.70.2"}],"aliases":["GHSA-647h-p824-99w7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6wvj-hzcn-gfan"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540grackle-ai/mcp@0.23.0"}