Authentication mechanism absence or evasion In @agenticmail/mcp
Description
@agenticmail/mcp Missing Authentication for Critical Function
AgenticMail MCP HTTP authorization bypass
Summary
@agenticmail/mcp exposes a Streamable HTTP transport when started with
--http or MCP_HTTP=1. In that mode, the /mcp endpoint accepts requests
without any HTTP authentication layer. A remote client can initialize a
session and call tools directly.
The problem is that the MCP server also exposes tools documented as requiring
AGENTICMAIL_MASTER_KEY, and the server process forwards those calls using its
own configured master key. As a result, any client that can reach the MCP HTTP
port can invoke master-only operations without knowing the master key.
Impact
An unauthenticated network client can invoke master-key-only MCP tools through the server, including administrative and gateway actions.
Confirmed with a read-only tool:
setup_guide
The same path reaches higher-impact tools such as:
setup_email_relay
setup_email_domain
delete_agent
cleanup_agents
send_test_email
Affected Code
packages/mcp/src/index.ts
packages/mcp/src/tools.ts
packages/mcp/README.md
Relevant observations:
packages/mcp/src/index.ts starts an HTTP server for /mcp without
checking an Authorization header.
packages/mcp/src/tools.ts marks gateway/admin tools as master-key tools
and forwards them with the server-side AGENTICMAIL_MASTER_KEY.
packages/mcp/README.md documents that gateway/admin tools require the
master key.
Reproduction
Use the bundled one-command PoC runner:
cd agenticmail ./scripts/run_agenticmail_mcp_http_unauth_poc.sh
Expected success output:
[+] received mcp-session-id without authentication: ... [+] tools/call(setup_guide) HTTP status: 200 [+] SUCCESS: unauthenticated HTTP client invoked MCP tool `setup_guide`
PoC Files
scripts/run_agenticmail_mcp_http_unauth_poc.sh
One-command wrapper that starts the API, starts MCP in HTTP mode, runs the client PoC, and cleans up background processes.
scripts/agenticmail_mcp_http_unauth_poc.py
Unauthenticated MCP client that sends initialize and then calls
setup_guide.
Inline PoC
The following PoC is non-destructive. It calls setup_guide, which is
documented as a master-key tool but only returns setup guidance.
scripts/run_agenticmail_mcp_http_unauth_poc.sh
#!/usr/bin/env bash set -euo pipefail REPO_DIR="." POC="scripts/agenticmail_mcp_http_unauth_poc.py" API_HOST="${API_HOST:-127.0.0.1}" API_PORT="${API_PORT:-}"...
scripts/agenticmail_mcp_http_unauth_poc.py
#!/usr/bin/env python3 from __future__ import annotations import argparse import json import sys import urllib.error import urllib.request...
Why This Is a Vulnerability
The project treats AGENTICMAIL_MASTER_KEY as the authorization boundary for
administrative and gateway operations. HTTP MCP mode removes the client-side
authentication boundary entirely, so an unauthenticated network client becomes
an indirect caller of master-only API functionality.
Suggested Fix
Require authentication for HTTP MCP mode.
Bind the MCP HTTP server to 127.0.0.1 by default.
Reject /mcp requests that lack a valid bearer token or shared secret.
Disable master-key tools when the transport is unauthenticated.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 0.9.27 |
Aliases
References