Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network /mcp endpoint with no auth (AV:N/AC:L/PR:N/UI:N); reachable master-key tools modify relay/domain config and delete agents, so C/I/A:H rather than the input's I:N/A:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCP_HTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can initialize a session and call tools directly. This issue has been patched in version 0.9.27.
AnalysisAI
Missing authentication in @agenticmail/mcp prior to 0.9.27 allows unauthenticated remote clients to invoke master-key-only MCP tools when the server is started with --http or MCP_HTTP=1. The /mcp Streamable HTTP endpoint accepts session initialization and tool calls without any Authorization check, and the server forwards calls using its configured AGENTICMAIL_MASTER_KEY, enabling administrative actions such as setup_email_relay, delete_agent, and send_test_email. Publicly available exploit code exists in the GHSA advisory (one-command PoC), though EPSS remains low at 0.06% (19th percentile) and the issue is not on CISA KEV.
Technical ContextAI
AgenticMail is a service that provisions real email addresses and phone numbers for AI agents, and @agenticmail/mcp is its Model Context Protocol server (npm package) that exposes agent-facing tools over either stdio or a Streamable HTTP transport. In HTTP mode, packages/mcp/src/index.ts mounts the /mcp endpoint without an Authorization header check, while packages/mcp/src/tools.ts designates a subset of tools as 'master-key tools' and forwards them using the server-side AGENTICMAIL_MASTER_KEY environment variable. This matches CWE-306 (Missing Authentication for a Critical Function): the privilege boundary documented in the README (master key required) is enforced only at the upstream API layer, not at the MCP HTTP entry point, so the server effectively acts as a confused deputy that re-authenticates every inbound request with its own privileged credentials. The affected CPE is cpe:2.3:a:agenticmail:agenticmail:*:*:*:*:*:*:*:*.
RemediationAI
Vendor-released patch: upgrade @agenticmail/mcp to 0.9.27 or later (npm install @agenticmail/mcp@0.9.27), which corresponds to commits 7b9b05d973676e9f3d097c08b8e649f59bfc15d0 and 7d1791da7c8c8bd4e70d7081db48e18ab55f6736 per the GHSA advisory at https://github.com/agenticmail/agenticmail/security/advisories/GHSA-63gr-g7jc-v8rg. If immediate upgrade is not possible, stop starting the server with --http and unset MCP_HTTP=1 to revert to the stdio transport, which removes the unauthenticated network surface entirely at the cost of disabling remote MCP access. If HTTP mode must remain enabled pending the upgrade, bind the listener to 127.0.0.1 only and place a reverse proxy (e.g., nginx, Caddy) in front of /mcp that enforces an Authorization header or mTLS - note that this only mitigates external attackers and does not protect against any local or co-tenant process that can reach the loopback port.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36544
GHSA-63gr-g7jc-v8rg