EXECUTIVE SUMMARY:
CVE-2026-44895 with a CVSS score of 7.5 is a high-severity vulnerability in the npm package @yoda.digital/gitlab-mcp-server, affecting all versions prior to 0.6.0. The vulnerability lies in the SSE HTTP transport, which runs with no authentication and wildcard CORS on every endpoint, exposing all 86 GitLab tools, including destructive operations, to any caller who can reach the server. Specifically, two endpoints, GET /sse and POST /messages?sessionId=, are exposed with no credential check, allowing an attacker to establish an SSE connection and make tool calls, including delete_repository, delete_group, push_files, create_merge_request, update_repository_settings, and others, using the operator's GitLab Personal Access Token. An attacker with access to the server, either directly or via the browser-tab vector enabled by wildcard CORS, can exploit this vulnerability to gain full control over the exposed tools, resulting in significant business impact and consequences, including data loss, unauthorized changes, and security breaches. Prerequisites for exploitation include access to the server and knowledge of the GitLab API endpoints.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44895 with a CVSS score of 7.5 is a high-severity vulnerability in the npm package @yoda.digital/gitlab-mcp-server, affecting all versions prior to 0.6.0. The vulnerability lies in the SSE HTTP transport, which runs with no authentication and wildcard CORS on every endpoint, exposing all 86 GitLab tools, including destructive operations, to any caller who can reach the server. Specifically, two endpoints, GET /sse and POST /messages?sessionId=, are exposed with no credential check, allowing an attacker to establish an SSE connection and make tool calls, including delete_repository, delete_group, push_files, create_merge_request, update_repository_settings, and others, using the operator's GitLab Personal Access Token. An attacker with access to the server, either directly or via the browser-tab vector enabled by wildcard CORS, can exploit this vulnerability to gain full control over the exposed tools, resulting in significant business impact and consequences, including data loss, unauthorized changes, and security breaches. Prerequisites for exploitation include access to the server and knowledge of the GitLab API endpoints.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-8jr5-6gvj-rfpf