{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67653?format=json","vulnerability_id":"VCID-x29q-mp3h-efhk","summary":"GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator's GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0.","aliases":[{"alias":"CVE-2026-44895"},{"alias":"GHSA-8jr5-6gvj-rfpf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375946?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.6.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.6.0"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1066831?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/1066832?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/1066833?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.2"},{"url":"http://public2.vulnerablecode.io/api/packages/1066834?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/1066835?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.4"},{"url":"http://public2.vulnerablecode.io/api/packages/1066836?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.5"},{"url":"http://public2.vulnerablecode.io/api/packages/1066837?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.6"},{"url":"http://public2.vulnerablecode.io/api/packages/1066838?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.7"},{"url":"http://public2.vulnerablecode.io/api/packages/1066839?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.8"},{"url":"http://public2.vulnerablecode.io/api/packages/1066840?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.9"},{"url":"http://public2.vulnerablecode.io/api/packages/1066841?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.10"},{"url":"http://public2.vulnerablecode.io/api/packages/1066842?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.11"},{"url":"http://public2.vulnerablecode.io/api/packages/1066843?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.12"},{"url":"http://public2.vulnerablecode.io/api/packages/1066844?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.13"},{"url":"http://public2.vulnerablecode.io/api/packages/1066845?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.15"},{"url":"http://public2.vulnerablecode.io/api/packages/1066846?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.1.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.1.16"},{"url":"http://public2.vulnerablecode.io/api/packages/1066847?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/1066848?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/1066849?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/1066850?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.2.4"},{"url":"http://public2.vulnerablecode.io/api/packages/1066851?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.2.5"},{"url":"http://public2.vulnerablecode.io/api/packages/1066852?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.2.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.2.6"},{"url":"http://public2.vulnerablecode.io/api/packages/1066853?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.2.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.2.7"},{"url":"http://public2.vulnerablecode.io/api/packages/1066854?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.2.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.2.8"},{"url":"http://public2.vulnerablecode.io/api/packages/1066855?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.2.9"},{"url":"http://public2.vulnerablecode.io/api/packages/1066856?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.2.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.2.10"},{"url":"http://public2.vulnerablecode.io/api/packages/1066857?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/1066858?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/1066859?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.3.2"},{"url":"http://public2.vulnerablecode.io/api/packages/1066860?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/1066861?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.5.0"},{"url":"http://public2.vulnerablecode.io/api/packages/1066862?format=json","purl":"pkg:npm/%40yoda.digital/gitlab-mcp-server@0.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x29q-mp3h-efhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540yoda.digital/gitlab-mcp-server@0.5.1"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44895","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05474","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44895"},{"reference_url":"https://github.com/yoda-digital/mcp-gitlab-server","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/yoda-digital/mcp-gitlab-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44895","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44895"},{"reference_url":"https://github.com/advisories/GHSA-8jr5-6gvj-rfpf","reference_id":"GHSA-8jr5-6gvj-rfpf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8jr5-6gvj-rfpf"},{"reference_url":"https://github.com/yoda-digital/mcp-gitlab-server/security/advisories/GHSA-8jr5-6gvj-rfpf","reference_id":"GHSA-8jr5-6gvj-rfpf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-27T13:34:54Z/"}],"url":"https://github.com/yoda-digital/mcp-gitlab-server/security/advisories/GHSA-8jr5-6gvj-rfpf"}],"weaknesses":[{"cwe_id":306,"name":"Missing Authentication for Critical Function","description":"The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources."},{"cwe_id":942,"name":"Permissive Cross-domain Policy with Untrusted Domains","description":"The product uses a cross-domain policy file that includes domains that should not be trusted."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"7.0 - 9.2","exploitability":"0.5","weighted_severity":"8.3","risk_score":4.2,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x29q-mp3h-efhk"}