MCP Observatory
security

Security

Every MCP risk signal in one place — CVEs, tool safety, drift, naming, licenses. Heuristic: review signals, not verdicts.

Known CVE vulnerabilities mapped to tracked servers via OSV.dev, newest disclosures first; switch to the severity worklist to triage by impact — a review signal, not a verdict. CVE feed as of 1h ago · next check in 2h.

most-affected30d · 41 new
inherited CVEsvia tracked dependencies

Scope: only dependencies that are themselves tracked MCP servers. A CVE in an untracked package (a general npm/PyPI library) does not flow here — this is partial supply-chain visibility, not a full transitive audit.

sort recent severity
  1. NONE @mcp-use/cli MAL-2025-190868
    MAL-2025-190868
  2. MEDIUM mcp-server-kubernetes MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration EPSS 0%
    CVE-2026-47250
  3. LOW stacklok/toolhive SSRF guard misses IPv6 NAT64 ranges (64:ff9b::/96, 64:ff9b:1::/48), allowing metadata/internal access behind a NAT64 gateway
    GHSA-pph6-vfjv-vpjw
  4. HIGH Labs64/NetLicensing-MCP Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode
    GHSA-x9vc-9ffq-p3gj
  5. MEDIUM lobehub/lobehub Unauthenticated SSRF in `/webapi/proxy` EPSS 0%
    CVE-2026-54157
  6. MEDIUM danny-avila/LibreChat 2FA Backup Code Regeneration Without OTP Verification Allows 2FA Bypass EPSS 0%
    CVE-2026-54040
  7. HIGH danny-avila/LibreChat Missing Resource Parameter Validation in MCP OAuth Flow EPSS 0%
    CVE-2026-54030
  8. MEDIUM danny-avila/LibreChat Incomplete Fix for CVE-2025-7105 — /api/convos/duplicate Lacks Rate Limiting Applied to /api/convos/fork EPSS 0%
    CVE-2026-54037
  9. HIGH danny-avila/LibreChat SSRF via User-Provided Custom Endpoint baseURL — no private IP validation on user-configured API base URLs EPSS 0%
    CVE-2026-54033
  10. MEDIUM danny-avila/LibreChat Image Upload Route Bypasses Agent Permission Check — Incomplete Fix for File Upload Authorization EPSS 0%
    CVE-2026-54027
  11. MEDIUM danny-avila/LibreChat Shared-agent editor can globally delete owner's file records — breaks owner's other private agents EPSS 0%
    CVE-2026-44654
  12. MEDIUM danny-avila/LibreChat IDOR in Message Deletion — Incomplete Fix for CVE-2024-41703 Leaves deleteMessages() Without User Filter EPSS 0%
    CVE-2026-54029
  13. HIGH danny-avila/LibreChat IDOR in API Keys Management allows any authenticated user to overwrite other users' API keys EPSS 0%
    CVE-2026-31942
  14. MEDIUM danny-avila/LibreChat Shared MCP Server View Leaks Decrypted Admin Secrets EPSS 0%
    CVE-2026-44653
  15. MEDIUM danny-avila/LibreChat Incomplete Fix for CVE-2024-11171 — Conversation Import Multer Instance Missing File Size Limits EPSS 0%
    CVE-2026-54024
  16. CRITICAL danny-avila/LibreChat Server Secrets Exfiltration via MCP Server URL Injection EPSS 0%
    CVE-2026-32625
  17. MEDIUM danny-avila/LibreChat 2FA Re-enrollment Allows Full Account 2FA Takeover Without OTP Verification EPSS 0%
    CVE-2026-54036
  18. MEDIUM danny-avila/LibreChat Stored XSS via unescaped image alt text in markdown artifact preview EPSS 0%
    CVE-2026-54025
  19. CRITICAL gemini-mcp-tool OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755) EPSS 1%
    CVE-2026-0755
  20. HIGH agenticmail/agenticmail AgenticMail API/storage and outbound relay hardening fixes EPSS 0%
    CVE-2026-47255
  21. CRITICAL leshchenko1979/fast-mcp-telegram Bearer token path traversal bypasses reserved Telegram session protection
    GHSA-rxw2-pc8j-vxwm
  22. HIGH Rheosoph/flow-like Azure invoke presign grants app content write SAS to ExecuteEvents-only users
    GHSA-99w9-5gvv-4v78
  23. MEDIUM n8n-io/n8n Git Node Clone and Push Operations Bypass File Sandbox EPSS 0%
    CVE-2026-49465
  24. HIGH n8n-io/n8n Python sandbox escape EPSS 0%
    CVE-2026-49444
  25. NONE @atlisp/mcp MAL-2026-4365
    MAL-2026-4365