CVE-2026-48039 - Meta Ads MCP HTTP tool auth bypass
meta-ads-mcp before 1.0.109 could forward unauthenticated Streamable HTTP
requests to MCP tool handlers instead of returning 401. When downstream Meta
API requests then failed, the service could serialize an operator
META_ACCESS_TOKEN into a JSON-RPC error path, leaking the token to the same
unauthenticated caller.
This is both an authentication failure and a secret-handling failure. The fix is to upgrade, fail closed when no caller credential is present, and remove all fallback behavior that lets operator tokens flow into unauthenticated tool execution.
When to use it
Use this recipe when a repository, MCP server deployment, agent gateway, or
marketing automation workbench runs meta-ads-mcp. It focuses on HTTP tool
authentication, operator-token containment, secret redaction, and audit
evidence that unauthenticated callers cannot execute Meta Ads MCP tools.
Inputs
meta-ads-mcpversion, service config, Streamable HTTP routes, MCP gateway config, auth middleware, and deployment ingress.- Evidence of token handling for
META_ACCESS_TOKEN, error serialization, logs, telemetry, and JSON-RPC failure paths. - Tests or fixtures for missing auth, invalid auth, valid auth, and downstream Meta API failures without real operator tokens.
- Boundary notes for who can reach the MCP HTTP endpoint: localhost, LAN, shared workbench, internal gateway, or internet-facing service.
Affected versions
- Vulnerable:
meta-ads-mcp <=1.0.101 - Patch signal:
1.0.109 - Metadata caveat: versions
1.0.102through1.0.105lacked git tags in the reviewed advisory, so confirm the exact deployed build during triage
Indicator-of-exposure
- The repository packages, deploys, or customizes
meta-ads-mcp. - Streamable HTTP MCP endpoints are reachable from any network path beyond a tightly controlled admin channel.
- The deployment sets
META_ACCESS_TOKENor similar operator-level Meta Graph credentials in the server environment. - Authentication middleware is expected to protect HTTP tool execution rather than every downstream tool individually.
Quick checks:
rg -n "meta-ads-mcp|META_ACCESS_TOKEN|http_auth_integration|call_next|401|mcp|streamable|json-rpc" .
python -m pip show meta-ads-mcp
python -m pip freeze | rg '^meta-ads-mcp=='
Windows:
rg -n "meta-ads-mcp|META_ACCESS_TOKEN|http_auth_integration|call_next|401|mcp|streamable|json-rpc" .
python -m pip show meta-ads-mcp
python -m pip freeze | rg '^meta-ads-mcp=='
Remediation strategy
- Upgrade
meta-ads-mcpto1.0.109+. - Return
401or equivalent fail-closed responses whenever request authentication is absent or invalid. - Remove any fallback that lets operator environment tokens substitute for missing caller credentials on HTTP-exposed tool paths.
- Redact access tokens from error paths, logs, traces, and JSON-RPC responses.
- Rotate operator Meta access tokens if unauthenticated HTTP reachability existed during the exposure window.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-48039 / GHSA-9gw6-46qc-99vr in `meta-ads-mcp`.
The issue allows unauthenticated HTTP MCP tool execution and can leak the
operator Meta access token. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades the package, fails closed on
missing auth, redacts secrets, and documents token-rotation actions, or
- TRIAGE.md if this repository does not control an affected HTTP MCP runtime.
## Rules
- Scope only CVE-2026-48039 and directly related HTTP auth and token handling.
- Treat Meta access tokens, ad account ids, business ids, and MCP request logs
as sensitive.
- Do not invoke live Meta tools or force real token-bearing failures.
- Do not keep operator-token fallback behavior on unauthenticated endpoints.
- Do not auto-merge.
## Steps
1. Inventory every `meta-ads-mcp` dependency, image, deployment manifest, and
runtime config owned by this repository.
2. Determine the exact deployed version and whether HTTP/Streamable MCP routes
are reachable from untrusted or semi-trusted networks.
3. Inspect auth middleware and downstream tool handlers for missing-credential
paths, `call_next` behavior, and token fallback from environment variables.
4. If the repository does not control an affected HTTP runtime, stop with
`TRIAGE.md` naming the owner and required fixed version `1.0.109+`.
5. Upgrade to `1.0.109+` and refresh locks, images, SBOMs, and generated docs.
6. Enforce fail-closed auth on every HTTP MCP request path before any tool
handler runs.
7. Remove or gate operator-token fallback so unauthenticated callers never
inherit `META_ACCESS_TOKEN` or equivalent credentials.
8. Redact tokens from error serialization, logs, traces, and debug responses.
9. Add safe regression checks:
- missing auth returns `401` or equivalent;
- unauthorized requests never reach tool handlers;
- error payloads and logs omit query-string tokens and auth headers.
10. Add a PR body section named `CVE-2026-48039 operator actions` covering:
- versions before and after;
- whether unauthenticated HTTP reachability existed;
- which tokens may need rotation;
- which logs should be reviewed for leaked tokens;
- validation that passed.
11. Run available validation: dependency install, unit/API tests, auth tests,
image build, deployment render, and secret-scanning checks.
12. Use PR title:
`fix(sec): remediate CVE-2026-48039 in Meta Ads MCP`.
## Stop conditions
- No HTTP-exposed `meta-ads-mcp` runtime is controlled by this repository.
- Verification would require sending real token-bearing upstream requests.
- Existing architecture intentionally depends on unauthenticated HTTP tool
execution; document the risk and require a security decision instead.
- Validation fails for unrelated pre-existing reasons; document those failures.
Output contract
- A reviewer-ready PR or change request that upgrades
meta-ads-mcp, fails closed on missing auth, redacts operator tokens from errors/logs, adds auth regression tests, and documents token cleanup. - Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, endpoint exposure, token reach, required fix, and rotation recommendation. - The output must include exact validation commands and must not expose real Meta tokens, customer ad account data, bearer headers, or production logs.
Verification - what the reviewer looks for
- No controlled deployment resolves a vulnerable
meta-ads-mcpbuild. - Missing or invalid auth is rejected before any MCP tool execution.
- Error payloads, logs, and traces do not expose
META_ACCESS_TOKENor similar secrets. - Operator token rotation and log review are documented if exposure existed.
Watch for
- Fixing middleware but leaving a secondary HTTP route or reverse-proxy bypass.
- Blocking unauthenticated requests while still serializing tokens in error objects.
- Rotating the package but not rotating credentials that may already have leaked.
Related recipes
- Source code authz tenant boundary audit
- Source code secrets and data exposure audit
- Source code attack surface map
- NIST SSDF repository evidence check
References
- GitHub Advisory: https://github.com/advisories/GHSA-9gw6-46qc-99vr
- Vendor advisory: https://github.com/pipeboard-co/meta-ads-mcp/security/advisories/GHSA-9gw6-46qc-99vr
- Fixed release: https://github.com/pipeboard-co/meta-ads-mcp/releases/tag/1.0.109
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48039