How is CVE-2026-50287 exploited?

Network reachability (required): The /mcp endpoint is exposed over HTTP, so the attacker must be able to reach the service across the network. Authentication (not-required): No HTTP authentication layer is present; any remote client can initialize a session and call tools without credentials. Victim interaction (not-required): The attacker interacts directly with the endpoint and does not need any action from a user or operator to complete the attack. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions or environmental dependencies required.

What is the impact of CVE-2026-50287?

Reads emails, phone numbers, and any content processed through the MCP tool interface belonging to AI agent sessions. Initializes arbitrary sessions and invokes MCP tools directly, bypassing any application-layer access controls built on top of the unauthenticated endpoint. Exposes sensitive data managed by AI agents, including messages and contact identifiers, to any network-reachable client.

Back to search

HIGHCVE-2026-50287Published 2026-06-12Modified 2026-06-15CNA GitHub_M

CVE-2026-50287: Missing Authentication for Critical Function in @agenticmail/mcp

AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCP_HTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can initialize a session and call tools directly. This issue has been patched in version 0.9.27.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Missing authentication for a critical function in @agenticmail/mcp allows any remote client to interact with the exposed /mcp endpoint without credentials. The service is reachable over the network and requires no authentication, login, or prior session, as reflected in the CVSS v4.0 vector (AV:N, PR:N, UI:N). Successful exploitation gives an attacker full read access to data handled by the AI agent, including email addresses, phone numbers, and any content processed through the MCP tool interface. A patched-image rebuild at version 0.9.27 is available on HarborGuard for environments running an affected version of this package.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle @agenticmail/mcp as a dependency. Any image layer containing a version of the package below 0.9.27 is flagged immediately.

Available

Triage

HarborGuard scores this finding at CVSS v4.0 8.7 (High) and weights it against each environment's compliance policy to determine urgency and routing. Triage tickets are surfaced to the appropriate team inbox inside each customer org based on policy configuration.

Available

Patch

A patched-image rebuild at version 0.9.27 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The /mcp endpoint is exposed over HTTP, so the attacker must be able to reach the service across the network.
AuthenticationNot required
No HTTP authentication layer is present; any remote client can initialize a session and call tools without credentials.
Victim interactionNot required
The attacker interacts directly with the endpoint and does not need any action from a user or operator to complete the attack.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or environmental dependencies required.

Blast Radius

Reads emails, phone numbers, and any content processed through the MCP tool interface belonging to AI agent sessions.
Initializes arbitrary sessions and invokes MCP tools directly, bypassing any application-layer access controls built on top of the unauthenticated endpoint.
Exposes sensitive data managed by AI agents, including messages and contact identifiers, to any network-reachable client.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image containing @agenticmail/mcp below version 0.9.27, including custom images that vendor the package. For customers with auto-remediation enabled, HarborGuard rebuilds the image at version 0.9.27, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Until a rebuild is deployed, compensating controls worth considering include placing the MCP HTTP endpoint behind a network policy that restricts ingress to trusted internal CIDR ranges, adding an ingress-layer authentication proxy in front of the /mcp path, and disabling the --http flag or unsetting MCP_HTTP=1 in container environment variables if the HTTP transport is not operationally required.

See how HarborGuard automates this

Affected packages

agenticmail / agenticmail
< 0.9.27

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

https://github.com/agenticmail/agenticmail/security/advisories/GHSA-63gr-g7jc-v8rg

Metrics

Get notified