CVE-2025-13822: MCPHub has an authentication bypass

April 14, 2026 (updated April 15, 2026)

MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.

References

cert.pl/en/posts/2026/04/CVE-2025-13822
github.com/advisories/GHSA-9vq7-9h42-j88h
github.com/samanhappy/mcphub
nvd.nist.gov/vuln/detail/CVE-2025-13822

Code Behaviors & Features

Detect and mitigate CVE-2025-13822 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →