CVE-2026-44895 - GitLab MCP Server SSE auth bypass
@yoda.digital/gitlab-mcp-server versions before 0.6.0 can expose its SSE
HTTP transport without an inbound authentication check. When SSE mode is
enabled, a reachable GET /sse endpoint can create a session and the matching
POST /messages?sessionId=... endpoint can accept MCP messages backed by the
server process’s GITLAB_PERSONAL_ACCESS_TOKEN.
The risky shape is not that the GitLab PAT is printed to the caller. The risk is delegated action: any caller that can reach the SSE port can ask the server to perform GitLab tool calls using the operator’s token. A wildcard CORS policy also turns a local developer workstation into a browser-tab attack surface if a malicious page can reach the local MCP port.
When to use it
Use this recipe when a repository, agent gateway, desktop MCP profile, or
developer service runs @yoda.digital/gitlab-mcp-server with SSE transport.
It is meant for MCP authentication remediation, GitLab PAT containment, CORS
hardening, and audit evidence that /sse and /messages cannot be used by
unauthenticated callers.
Inputs
- GitLab MCP server version, SSE/HTTP config, MCP gateway config, bind address, CORS policy, auth middleware, and deployment ingress.
- Evidence of
GITLAB_PERSONAL_ACCESS_TOKENhandling, log/error redaction, session creation, and message endpoint authorization. - Tests or fixtures for missing auth, invalid auth, valid auth, cross-origin requests, and token-redaction behavior without real GitLab PATs.
- Boundary notes for who can reach the service: loopback, LAN, shared workbench, internal ingress, or internet-facing endpoint.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
@yoda.digital/gitlab-mcp-server |
< 0.6.0 |
0.6.0+ |
Affected mode and controls:
- SSE transport enabled through
USE_SSE=trueor equivalent startup wiring. GET /sseandPOST /messages?sessionId=...are reachable without a bearer token, gateway auth, mTLS identity, or loopback-only boundary.- The HTTP listener binds to every interface or is forwarded through a container port, dev tunnel, Codespaces port, reverse proxy, Kubernetes Service, or preview environment.
- CORS allows arbitrary origins or does not bind the session to a trusted origin.
- The process has a
GITLAB_PERSONAL_ACCESS_TOKENwith repository, group, merge request, file-write, settings, admin, or destructive permissions.
Indicator-of-exposure
- The repository installs, vendors, images, deploys, configures, or documents
@yoda.digital/gitlab-mcp-server <0.6.0. - An MCP client, devcontainer, task runner, Compose service, process manager,
Helm chart, Kubernetes manifest, Terraform module, or operator guide sets
USE_SSE=true. - The server listens on
0.0.0.0, publishes port3000or another SSE port, exposes/sseor/messages, or forwards the port outside a trusted local process boundary. - Browser contexts, local web apps, preview environments, or untrusted users can send cross-origin requests to the MCP server.
- The configured GitLab PAT can read private projects, write files, push commits, open or merge merge requests, manage groups, change repository settings, delete resources, or access sensitive CI/CD data.
Quick checks:
rg -n "@yoda\\.digital/gitlab-mcp-server|mcp-gitlab-server|USE_SSE|GITLAB_PERSONAL_ACCESS_TOKEN|MCP_GITLAB_AUTH_TOKEN|/sse|/messages|Access-Control-Allow-Origin|0\\.0\\.0\\.0|3000|gitlab.*mcp" .
npm ls @yoda.digital/gitlab-mcp-server
pnpm why @yoda.digital/gitlab-mcp-server
yarn why @yoda.digital/gitlab-mcp-server
rg -n "@yoda\\.digital/gitlab-mcp-server|USE_SSE|GITLAB_PERSONAL_ACCESS_TOKEN|MCP_GITLAB_AUTH_TOKEN|/sse|/messages|ports:|3000|0\\.0\\.0\\.0" package.json package-lock.json pnpm-lock.yaml yarn.lock Dockerfile* docker-compose*.yml compose*.yaml .devcontainer .github deploy charts k8s helm terraform ansible scripts 2>/dev/null
Windows:
rg -n "@yoda\.digital/gitlab-mcp-server|mcp-gitlab-server|USE_SSE|GITLAB_PERSONAL_ACCESS_TOKEN|MCP_GITLAB_AUTH_TOKEN|/sse|/messages|Access-Control-Allow-Origin|0\.0\.0\.0|3000|gitlab.*mcp" .
npm ls @yoda.digital/gitlab-mcp-server
pnpm why @yoda.digital/gitlab-mcp-server
yarn why @yoda.digital/gitlab-mcp-server
rg -n "@yoda\.digital/gitlab-mcp-server|USE_SSE|GITLAB_PERSONAL_ACCESS_TOKEN|MCP_GITLAB_AUTH_TOKEN|/sse|/messages|ports:|3000|0\.0\.0\.0" package.json package-lock.json pnpm-lock.yaml yarn.lock Dockerfile* docker-compose*.yml compose*.yaml .devcontainer .github deploy charts k8s helm terraform ansible scripts
Do not prove exposure by invoking live GitLab MCP tools, reading private projects, pushing files, creating merge requests, changing settings, deleting resources, printing PATs, or calling a production MCP endpoint.
Remediation strategy
- Upgrade every controlled
@yoda.digital/gitlab-mcp-serverdependency, lockfile, image, generated dependency report, and SBOM to0.6.0+. - Require an explicit inbound auth boundary for SSE mode. At minimum, require
MCP_GITLAB_AUTH_TOKENor an equivalent secret-backed bearer token before the server starts, and validate it on both/sseand/messages. - Bind SSE mode to
127.0.0.1by default. Require an explicit reviewed setting before binding to0.0.0.0, publishing container ports, or routing through an ingress, tunnel, or preview URL. - Replace wildcard CORS with a narrow origin allow-list. When the transport is intended for local tool use only, reject non-local origins rather than relying on CORS as the only control.
- Scope
GITLAB_PERSONAL_ACCESS_TOKENto the smallest needed GitLab project, group, and API permissions. Avoid running a broad personal token in a shared or browser-reachable MCP server. - If an affected SSE endpoint was reachable by untrusted users or browser contexts, rotate the GitLab PAT and review GitLab audit logs for unexpected repository reads, file writes, pushes, merge requests, group changes, settings changes, and destructive operations.
The prompt
You are remediating CVE-2026-44895 / GHSA-8jr5-6gvj-rfpf, a high-severity
authentication bypass in `@yoda.digital/gitlab-mcp-server` SSE transport.
Produce exactly one output:
- A reviewer-ready PR/change request that upgrades the package, requires
authentication on the SSE MCP transport, removes unsafe CORS and bind
defaults, scopes GitLab token exposure, refreshes generated artifacts, and
documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected GitLab MCP Server
runtime, package, image, deployment, MCP registration, or operator guide.
## Rules
- Scope only CVE-2026-44895 / GHSA-8jr5-6gvj-rfpf and directly related
GitLab MCP SSE authentication, CORS, bind address, port exposure, and GitLab
token handling.
- Treat GitLab PATs, OAuth tokens, deploy keys, project names, private
repository contents, issues, merge requests, CI/CD variables, webhooks, group
membership, audit logs, MCP session IDs, and tool arguments as sensitive.
- Do not invoke live GitLab MCP tools, read private repositories, push files,
create or merge merge requests, change settings, delete resources, print
tokens, or test against a production MCP endpoint.
- Do not leave SSE mode unauthenticated because it is "developer only" if a
browser, LAN client, dev tunnel, container port, or preview URL can reach it.
- Do not auto-merge.
## Steps
1. Inventory every `@yoda.digital/gitlab-mcp-server` reference controlled by
this repository: package manifests, lockfiles, Dockerfiles, Compose files,
devcontainers, process managers, MCP client/server config, GitLab Duo or IDE
setup docs, Helm/Kubernetes manifests, Terraform, reverse-proxy config,
generated SBOMs, dependency reports, and operator runbooks.
2. Determine every resolved package version. A target is vulnerable if it
resolves to `@yoda.digital/gitlab-mcp-server <0.6.0`.
3. Search for SSE launch and exposure paths: `USE_SSE=true`, `/sse`,
`/messages`, published ports, `0.0.0.0`, Codespaces or devcontainer port
forwarding, local browser clients, tunnels, preview URLs, reverse proxies,
Kubernetes Services, ingresses, and host firewall rules.
4. Search for privileged GitLab runtime context: `GITLAB_PERSONAL_ACCESS_TOKEN`,
OAuth tokens, deploy keys, project/group scopes, admin tokens, write scopes,
destructive tool registrations, CI/CD variable access, and shared worker
environments.
5. If this repository only contains unrelated docs or client code, stop with
`TRIAGE.md` naming the checked files, runtime owner, required fixed version
`0.6.0+`, required SSE auth boundary, and whether token rotation should be
routed to another team.
6. Upgrade every controlled package reference to
`@yoda.digital/gitlab-mcp-server 0.6.0+`. Regenerate lockfiles,
package-manager metadata, image digests, deployment render output, generated
dependency reports, and SBOMs.
7. Harden SSE startup and request handling:
- require `MCP_GITLAB_AUTH_TOKEN` or an equivalent secret-backed auth
control before SSE mode starts;
- validate authorization before opening `/sse` sessions;
- validate authorization again before accepting `/messages` requests;
- reject missing, malformed, or ambiguous auth context fail-closed;
- ensure MCP session IDs are treated as routing state, not authentication.
8. Harden network and browser exposure:
- bind to `127.0.0.1` by default;
- remove accidental `0.0.0.0`, LAN, public, tunnel, and forwarded-port
defaults;
- require a reviewed config flag before intentional network exposure;
- replace wildcard CORS with a narrow allow-list;
- block `/sse` and `/messages` at internet-facing edges unless protected by
independent authentication.
9. Reduce GitLab blast radius:
- scope PATs to the smallest project/group and permission set;
- avoid using personal admin tokens for shared MCP runtimes;
- split read-only tools from write/destructive tools where possible;
- disable destructive tools on browser-reachable or shared transports unless
an authenticated admin context is present;
- redact PATs, project contents, CI/CD variables, and tool arguments from
logs and snapshots.
10. Add safe tests or policy checks:
- resolved package version is `0.6.0+`;
- SSE mode without an auth secret fails to start;
- unauthenticated `GET /sse` is rejected;
- unauthenticated `POST /messages` is rejected even with a session-like ID;
- configured CORS origins are not wildcard by default;
- default bind address is loopback;
- deployment render output does not publish the SSE port without an
explicit reviewed exception and independent auth;
- logs redact tokens, session IDs, repository contents, and CI/CD values.
11. Add a PR body section named `CVE-2026-44895 operator actions` that states:
- package versions before and after;
- whether SSE mode was enabled;
- effective bind address, published ports, and CORS allow-list;
- the auth boundary protecting `/sse` and `/messages`;
- the GitLab token scope and whether destructive tools were reachable;
- whether GitLab PATs, deploy keys, webhook secrets, or CI/CD variables
need rotation;
- which GitLab audit logs operators should review;
- which validation commands passed.
12. Run available validation: package install, lockfile integrity, unit/API
auth tests, MCP config validation, gateway/ingress rendering, container
build, SBOM refresh, dependency/security scans, and safe local HTTP auth
tests against fixtures only.
13. Use PR title:
`fix(sec): remediate CVE-2026-44895 in GitLab MCP SSE transport`.
## Stop conditions
- No affected GitLab MCP Server runtime, dependency, image, MCP registration,
deployment manifest, or operator doc is controlled by this repository.
- A fixed package version cannot be consumed without a broader MCP client or
GitLab workflow migration.
- Exposure can only be verified by invoking live GitLab MCP tools, reading
private repositories, writing files, creating merge requests, changing
settings, deleting resources, or touching production data.
- Product requirements intentionally expose SSE MCP to untrusted callers without
authentication; document the required security-owner decision in `TRIAGE.md`.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades GitLab MCP server, requires bearer auth on SSE/message routes, removes wildcard CORS, binds safely by default, adds regression tests, and documents PAT cleanup.
- Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, endpoint exposure, PAT reach, required fix, and rotation recommendation. - The output must include exact validation commands and must not expose real GitLab PATs, repository data, bearer headers, or production logs.
Verification - what the reviewer looks for
- No controlled manifest, lockfile, image, SBOM, or dependency report resolves
@yoda.digital/gitlab-mcp-server <0.6.0. - SSE mode fails closed unless an inbound auth control is configured.
- Both
/sseand/messagesreject unauthenticated requests before GitLab tool dispatch. - The MCP server is loopback-only by default, and intentional network exposure has an explicit auth gateway and narrow CORS allow-list.
- GitLab tokens are scoped to the minimum needed permissions, and destructive tools are not reachable from shared or browser-reachable transports without authenticated authorization.
- Operator actions cover token rotation and audit-log review when the endpoint was reachable by untrusted clients or browser contexts.
Watch for
- Upgrading
package.jsonwhile a lockfile, Docker image, devcontainer, global install, MCP registration, or generated dependency report still resolves an affected package. - Adding auth to
/ssebut forgetting that/messages?sessionId=...can still carry MCP tool calls. - Treating MCP session IDs as proof of identity.
- Removing wildcard CORS but leaving the server bound to
0.0.0.0with no bearer token or gateway auth. - Testing with a real GitLab PAT or attaching private repository output to a PR.
- Rotating the PAT but leaving CI/CD variables, deploy keys, webhook secrets, or cached MCP config exposed in the same runtime.
Related recipes
- Source code authz tenant boundary audit
- Source code secrets and data exposure audit
- Source code attack surface map
- NIST SSDF repository evidence check
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-8jr5-6gvj-rfpf
- Vendor advisory: https://github.com/yoda-digital/mcp-gitlab-server/security/advisories/GHSA-8jr5-6gvj-rfpf
- GitLab Advisory Database: https://advisories.gitlab.com/npm/%40yoda.digital/gitlab-mcp-server/CVE-2026-44895/
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-44895