CVE-2025-13822

EPSS 0.25%

MCPHub has an authentication bypass

Published: 4/14/2026Modified: 4/15/2026

Description

MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.

Affected packages (1)

npm/@samanhappy/mcphubfrom 0, < 0.11.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-13822
PATCHhttps://github.com/samanhappy/mcphub
WEBhttps://cert.pl/en/posts/2026/04/CVE-2025-13822