Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token

critical-cve-against-dependency · active

The pipeboard-co/meta-ads-mcp server forwards unauthenticated HTTP MCP requests to tool handlers without returning a 401, letting any network-reachable caller invoke MCP tools as the operator. On a Graph API error, the operator's META_ACCESS_TOKEN is returned verbatim in the response, allowing full credential exfiltration.

Affected packages

• pypimeta-ads-mcpupgrade to ≥ 1.0.102

Indicators of compromise

• file-pathmeta_ads_mcp/core/http_auth_integration.py:272Middleware unconditionally calls call_next(request) without returning 401 when no auth tokens are present.
• file-pathmeta_ads_mcp/core/api.py:136Operator access_token appended to URL query parameters, exposed in Graph API error response request_url.

Sources

• ghsahttps://github.com/advisories/GHSA-9gw6-46qc-99vr
• ghsahttps://github.com/pipeboard-co/meta-ads-mcp/security/advisories/GHSA-9gw6-46qc-99vr
• ghsahttps://github.com/pipeboard-co/meta-ads-mcp/releases/tag/1.0.109