Skip to main content

AgenticMail MCP CVE-2026-50287

| EUVDEUVD-2026-36544 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-12 GitHub_M GHSA-63gr-g7jc-v8rg
8.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Network /mcp endpoint with no auth (AV:N/AC:L/PR:N/UI:N); reachable master-key tools modify relay/domain config and delete agents, so C/I/A:H rather than the input's I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 12, 2026 - 20:00 vuln.today
Analysis Generated
Jun 12, 2026 - 20:00 vuln.today

DescriptionCVE.org

AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCP_HTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can initialize a session and call tools directly. This issue has been patched in version 0.9.27.

AnalysisAI

Missing authentication in @agenticmail/mcp prior to 0.9.27 allows unauthenticated remote clients to invoke master-key-only MCP tools when the server is started with --http or MCP_HTTP=1. The /mcp Streamable HTTP endpoint accepts session initialization and tool calls without any Authorization check, and the server forwards calls using its configured AGENTICMAIL_MASTER_KEY, enabling administrative actions such as setup_email_relay, delete_agent, and send_test_email. Publicly available exploit code exists in the GHSA advisory (one-command PoC), though EPSS remains low at 0.06% (19th percentile) and the issue is not on CISA KEV.

Technical ContextAI

AgenticMail is a service that provisions real email addresses and phone numbers for AI agents, and @agenticmail/mcp is its Model Context Protocol server (npm package) that exposes agent-facing tools over either stdio or a Streamable HTTP transport. In HTTP mode, packages/mcp/src/index.ts mounts the /mcp endpoint without an Authorization header check, while packages/mcp/src/tools.ts designates a subset of tools as 'master-key tools' and forwards them using the server-side AGENTICMAIL_MASTER_KEY environment variable. This matches CWE-306 (Missing Authentication for a Critical Function): the privilege boundary documented in the README (master key required) is enforced only at the upstream API layer, not at the MCP HTTP entry point, so the server effectively acts as a confused deputy that re-authenticates every inbound request with its own privileged credentials. The affected CPE is cpe:2.3:a:agenticmail:agenticmail:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch: upgrade @agenticmail/mcp to 0.9.27 or later (npm install @agenticmail/mcp@0.9.27), which corresponds to commits 7b9b05d973676e9f3d097c08b8e649f59bfc15d0 and 7d1791da7c8c8bd4e70d7081db48e18ab55f6736 per the GHSA advisory at https://github.com/agenticmail/agenticmail/security/advisories/GHSA-63gr-g7jc-v8rg. If immediate upgrade is not possible, stop starting the server with --http and unset MCP_HTTP=1 to revert to the stdio transport, which removes the unauthenticated network surface entirely at the cost of disabling remote MCP access. If HTTP mode must remain enabled pending the upgrade, bind the listener to 127.0.0.1 only and place a reverse proxy (e.g., nginx, Caddy) in front of /mcp that enforces an Authorization header or mTLS - note that this only mitigates external attackers and does not protect against any local or co-tenant process that can reach the loopback port.

Share

CVE-2026-50287 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy