EXECUTIVE SUMMARY:
CVE-2026-48039 with a CVSS score of 9.1 is a critical vulnerability in the Meta Ads MCP package, specifically affecting versions 1.0.108 and below, which allows unauthenticated HTTP MCP tool execution, resulting in the leakage of the operator's Meta Access Token. This vulnerability occurs because the `AuthInjectionMiddleware.dispatch()` function unconditionally forwards unauthenticated Streamable HTTP requests to downstream MCP tool handlers without issuing a 401 response, and when no per-request credential is present, tool handlers fall back to the `META_ACCESS_TOKEN` environment variable. An attacker can exploit this vulnerability by sending an unauthenticated HTTP POST request to the /mcp endpoint, which requires network reachability and no prior authentication, allowing them to gain access to the operator's Meta Access Token. If exploited, this vulnerability can have significant business impact, including unauthorized access to sensitive data and systems, as the attacker gains the capability to invoke MCP tools and access the Meta Graph API using the leaked access token, with the only prerequisite being that the `META_ACCESS_TOKEN` environment variable is set, and the affected system is reachable over the network.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48039 with a CVSS score of 9.1 is a critical vulnerability in the Meta Ads MCP package, specifically affecting versions 1.0.108 and below, which allows unauthenticated HTTP MCP tool execution, resulting in the leakage of the operator's Meta Access Token. This vulnerability occurs because the `AuthInjectionMiddleware.dispatch()` function unconditionally forwards unauthenticated Streamable HTTP requests to downstream MCP tool handlers without issuing a 401 response, and when no per-request credential is present, tool handlers fall back to the `META_ACCESS_TOKEN` environment variable. An attacker can exploit this vulnerability by sending an unauthenticated HTTP POST request to the /mcp endpoint, which requires network reachability and no prior authentication, allowing them to gain access to the operator's Meta Access Token. If exploited, this vulnerability can have significant business impact, including unauthorized access to sensitive data and systems, as the attacker gains the capability to invoke MCP tools and access the Meta Graph API using the leaked access token, with the only prerequisite being that the `META_ACCESS_TOKEN` environment variable is set, and the affected system is reachable over the network.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update meta-ads-mcp to version 1.0.109.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-9gw6-46qc-99vr