CVE-2026-48039 - Meta Ads MCP HTTP tool auth bypass

meta-ads-mcp before 1.0.109 could forward unauthenticated Streamable HTTP requests to MCP tool handlers instead of returning 401. When downstream Meta API requests then failed, the service could serialize an operator META_ACCESS_TOKEN into a JSON-RPC error path, leaking the token to the same unauthenticated caller.

This is both an authentication failure and a secret-handling failure. The fix is to upgrade, fail closed when no caller credential is present, and remove all fallback behavior that lets operator tokens flow into unauthenticated tool execution.

When to use it

Use this recipe when a repository, MCP server deployment, agent gateway, or marketing automation workbench runs meta-ads-mcp. It focuses on HTTP tool authentication, operator-token containment, secret redaction, and audit evidence that unauthenticated callers cannot execute Meta Ads MCP tools.

Inputs

  • meta-ads-mcp version, service config, Streamable HTTP routes, MCP gateway config, auth middleware, and deployment ingress.
  • Evidence of token handling for META_ACCESS_TOKEN, error serialization, logs, telemetry, and JSON-RPC failure paths.
  • Tests or fixtures for missing auth, invalid auth, valid auth, and downstream Meta API failures without real operator tokens.
  • Boundary notes for who can reach the MCP HTTP endpoint: localhost, LAN, shared workbench, internal gateway, or internet-facing service.

Affected versions

  • Vulnerable: meta-ads-mcp <=1.0.101
  • Patch signal: 1.0.109
  • Metadata caveat: versions 1.0.102 through 1.0.105 lacked git tags in the reviewed advisory, so confirm the exact deployed build during triage

Indicator-of-exposure

  • The repository packages, deploys, or customizes meta-ads-mcp.
  • Streamable HTTP MCP endpoints are reachable from any network path beyond a tightly controlled admin channel.
  • The deployment sets META_ACCESS_TOKEN or similar operator-level Meta Graph credentials in the server environment.
  • Authentication middleware is expected to protect HTTP tool execution rather than every downstream tool individually.

Quick checks:

rg -n "meta-ads-mcp|META_ACCESS_TOKEN|http_auth_integration|call_next|401|mcp|streamable|json-rpc" .
python -m pip show meta-ads-mcp
python -m pip freeze | rg '^meta-ads-mcp=='

Windows:

rg -n "meta-ads-mcp|META_ACCESS_TOKEN|http_auth_integration|call_next|401|mcp|streamable|json-rpc" .
python -m pip show meta-ads-mcp
python -m pip freeze | rg '^meta-ads-mcp=='

Remediation strategy

  • Upgrade meta-ads-mcp to 1.0.109+.
  • Return 401 or equivalent fail-closed responses whenever request authentication is absent or invalid.
  • Remove any fallback that lets operator environment tokens substitute for missing caller credentials on HTTP-exposed tool paths.
  • Redact access tokens from error paths, logs, traces, and JSON-RPC responses.
  • Rotate operator Meta access tokens if unauthenticated HTTP reachability existed during the exposure window.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-48039 / GHSA-9gw6-46qc-99vr in `meta-ads-mcp`.
The issue allows unauthenticated HTTP MCP tool execution and can leak the
operator Meta access token. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades the package, fails closed on
  missing auth, redacts secrets, and documents token-rotation actions, or
- TRIAGE.md if this repository does not control an affected HTTP MCP runtime.

## Rules

- Scope only CVE-2026-48039 and directly related HTTP auth and token handling.
- Treat Meta access tokens, ad account ids, business ids, and MCP request logs
  as sensitive.
- Do not invoke live Meta tools or force real token-bearing failures.
- Do not keep operator-token fallback behavior on unauthenticated endpoints.
- Do not auto-merge.

## Steps

1. Inventory every `meta-ads-mcp` dependency, image, deployment manifest, and
   runtime config owned by this repository.
2. Determine the exact deployed version and whether HTTP/Streamable MCP routes
   are reachable from untrusted or semi-trusted networks.
3. Inspect auth middleware and downstream tool handlers for missing-credential
   paths, `call_next` behavior, and token fallback from environment variables.
4. If the repository does not control an affected HTTP runtime, stop with
   `TRIAGE.md` naming the owner and required fixed version `1.0.109+`.
5. Upgrade to `1.0.109+` and refresh locks, images, SBOMs, and generated docs.
6. Enforce fail-closed auth on every HTTP MCP request path before any tool
   handler runs.
7. Remove or gate operator-token fallback so unauthenticated callers never
   inherit `META_ACCESS_TOKEN` or equivalent credentials.
8. Redact tokens from error serialization, logs, traces, and debug responses.
9. Add safe regression checks:
   - missing auth returns `401` or equivalent;
   - unauthorized requests never reach tool handlers;
   - error payloads and logs omit query-string tokens and auth headers.
10. Add a PR body section named `CVE-2026-48039 operator actions` covering:
    - versions before and after;
    - whether unauthenticated HTTP reachability existed;
    - which tokens may need rotation;
    - which logs should be reviewed for leaked tokens;
    - validation that passed.
11. Run available validation: dependency install, unit/API tests, auth tests,
    image build, deployment render, and secret-scanning checks.
12. Use PR title:
    `fix(sec): remediate CVE-2026-48039 in Meta Ads MCP`.

## Stop conditions

- No HTTP-exposed `meta-ads-mcp` runtime is controlled by this repository.
- Verification would require sending real token-bearing upstream requests.
- Existing architecture intentionally depends on unauthenticated HTTP tool
  execution; document the risk and require a security decision instead.
- Validation fails for unrelated pre-existing reasons; document those failures.

Output contract

  • A reviewer-ready PR or change request that upgrades meta-ads-mcp, fails closed on missing auth, redacts operator tokens from errors/logs, adds auth regression tests, and documents token cleanup.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, endpoint exposure, token reach, required fix, and rotation recommendation.
  • The output must include exact validation commands and must not expose real Meta tokens, customer ad account data, bearer headers, or production logs.

Verification - what the reviewer looks for

  • No controlled deployment resolves a vulnerable meta-ads-mcp build.
  • Missing or invalid auth is rejected before any MCP tool execution.
  • Error payloads, logs, and traces do not expose META_ACCESS_TOKEN or similar secrets.
  • Operator token rotation and log review are documented if exposure existed.

Watch for

  • Fixing middleware but leaving a secondary HTTP route or reverse-proxy bypass.
  • Blocking unauthenticated requests while still serializing tokens in error objects.
  • Rotating the package but not rotating credentials that may already have leaked.

References