GHSA-647h-p824-99w7: @grackle-ai/mcp has a workspace authorization bypass in its knowledge_search MCP tool
The knowledge_search and knowledge_get_node MCP tools are included in SCOPED_TOOLS (visible to scoped agents) but their handlers do not receive authContext and do not enforce workspace scoping. A scoped agent in Workspace A can supply an arbitrary workspaceId parameter to search or retrieve knowledge graph nodes from Workspace B, bypassing workspace isolation boundaries.
This is a cross-workspace data leakage vulnerability affecting any deployment where multiple workspaces contain sensitive knowledge graph data and scoped agents are used.
Affected code:
packages/mcp/src/tools/knowledge.ts:146-169(knowledge_search handler)packages/mcp/src/tools/knowledge.ts:244-283(knowledge_get_node handler)packages/mcp/src/tool-scoping.ts:11(both tools listed in SCOPED_TOOLS)
Contrast with correct implementation: knowledge_create_node (same file, lines 334-357) properly receives authContext and overrides the user-supplied workspaceId for scoped callers.
References
Code Behaviors & Features
Detect and mitigate GHSA-647h-p824-99w7 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →