CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-h9f9-h6gm-wc85: flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module`

highCVSS 8.4CVE-2026-55786
Unauthenticated Command Execution via HTTP MCP execute_module Summary The HTTP MCP endpoint (POST /mcp) in flyto-core accepts unauthenticated JSON-RPC tools/call requests and dispatches them to arbitrary registered modules, including sandbox.execute_shell, which passes attacker-controlled input directly to asyncio.create_subprocess_shell. An unauthenticated attacker can execute arbitrary OS commands as the flyto-core server process. By default the server binds to 127.0.0.1, making this a High-severity local vulnerability (CVSS 8.4); if started with --host 0.0.0.0, it becomes remotely exploitable over the network. Dynamic reproduction confirmed command execution as root inside a Docker container without any Authorization header. Details flyto-core exposes an HTTP API via FastAPI. When the API is started (flyto serve), the MCP router is unconditionally mounted at /mcp (src/core/api/server.py:75-78). The route handler at src/core/api/routes/mcp.py:65-66 declares @router.post("") with no Depends(require_auth) dependency, unlike the analogous REST execution routes (src/core/api/routes/modules.py:93) which enforce both authentication and a module denylist. The complete unauthenticated data flow from source to sink: 1. src/core/api/server.py:75-78 — mcp_router is mounted under /mcp unconditionally at app creation. 2. src/core/api/routes/mcp.py:65-66 — @router.post("") has no Depends(require_auth) guard; any HTTP client may POST to this route. 3. src/core/api/routes/mcp.py:79 — the full request body (attacker-controlled JSON) is parsed without validation. 4. src/core/api/routes/mcp.py:103-104 — each JSON-RPC item is forwarded to handle_jsonrpc_request without a module_filter. 5. **src/core/mcp_handler.py:813-838** — tools/call with name execute_module forwards attacker-controlled module_id and params to execute_module(). 6. **src/core/mcp_handler.py:180, 214-215** — the

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 8.4
Published
2026-07-06
Last updated
2026-07-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-h9f9-h6gm-wc85

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-55786coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories