Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
MCPHub: Unauthenticated Users Can Act as Others
CVE-2025-13822
GHSA-9vq7-9h42-j88h
GHSA-9vq7-9h42-j88h
Summary
Versions of MCPHub below 0.11.0 have a security issue where anyone can access and act as other users without being authorized. This can lead to unauthorized access and actions on the system. Update to version 0.11.0 or later to fix this issue.
What to do
- Update samanhappy mcphub to version 0.11.0.
- Update samanhappy @samanhappy/mcphub to version 0.11.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | samanhappy | mcphub |
< 0.11.0 Fix: upgrade to 0.11.0
|
| npm | samanhappy | @samanhappy/mcphub |
< 0.11.0 Fix: upgrade to 0.11.0
|
Original title
MCPHub has an authentication bypass
Original description
MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.
nvd CVSS4.0
5.3
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 14 Apr 2026