Officehub-Tech-LLC/MCP-Server
criticalMCP Server Integration with Zoho CRM
This MCP server integrates with Zoho CRM to provide conversational AI capabilities, allowing users to read, search, create, update, delete, and bulk-c...
13ACCESS_TOKEN = "1000.d670c62c95dbf02dfe531d286b559c12.68c285c2939aebe00b8bc6de9548d7cf"// Exploitable if MCP server source code is exposed or if an attacker gains access to the server's filesystem. With network_exposed threat model, the token is directly accessible.
A Zoho CRM OAuth access token is hardcoded in plaintext in the source code. This token is used for all API calls to Zoho CRM.
ImpactAnyone with access to the source code (e.g., via repository access, MCP server exposure) can use this token to authenticate to Zoho CRM and perform any API operations, including reading, creating, updating, and deleting records across all modules. The token is valid until it expires or is revoked.
FixRemove the hardcoded token. Use environment variables or a secure secrets manager to inject the token at runtime. For example, use os.getenv('ZOHO_ACCESS_TOKEN').
112@mcp.tool()
113def search_records(ctx, module_name: str, search_criteria: str):
114 ...
115 url = f"{ZOHO_API_BASE_URL}/{module_name}/search"// Exploitable via untrusted prompts when MCP is network_exposed.
Multiple tools accept a module_name parameter that is directly used in URL construction without validation against a whitelist. This allows an attacker to specify arbitrary module names, potentially accessing unintended Zoho CRM resources.
ImpactAn attacker could access, create, update, or delete records in any Zoho CRM module, including sensitive ones like 'Users', 'Roles', or custom modules not intended for exposure. This could lead to unauthorized data access or modification.
FixValidate module_name against a whitelist of allowed modules (e.g., ZOHO_MODULES list) in each tool. Reject any module_name not in the whitelist.
25@mcp.tool()
26def get_module_data(ctx, module_name: str = None):
27 ...
28 if module_name:
29 url = f"{ZOHO_API_BASE_URL}/{module_name}"
30 response = requests.get(url, headers=headers)// Exploitable via untrusted prompts when MCP is network_exposed.
The module_name parameter is directly concatenated into the API URL without any validation or sanitization. An attacker could provide arbitrary module names, potentially accessing unintended Zoho CRM endpoints or causing unexpected behavior.
ImpactAn attacker could potentially access other Zoho CRM API endpoints by manipulating the module_name parameter (e.g., path traversal or accessing settings endpoints). While the API base URL is fixed, the lack of validation could allow access to modules not intended by the server (e.g., 'settings', 'users').
FixValidate module_name against a whitelist of allowed modules (e.g., ZOHO_MODULES list). Reject any module_name not in the whitelist.
24@mcp.tool()
25def create_record(ctx, module_name: str, record_data: dict):
26 ...
27 response = requests.post(url, headers=headers, data=json.dumps(payload))
28
29@mcp.tool()
30def delete_record(ctx, module_name: str, record_id: str):
31 ...
32 response = requests.delete(url, headers=headers)// Exploitable via untrusted prompts when MCP is network_exposed. Even with local-only, a compromised LLM could abuse these capabilities.
The MCP server exposes tools that allow full CRUD (Create, Read, Update, Delete) operations on Zoho CRM records without any access control or rate limiting. The intended purpose is to provide CRM integration, but the scope is overly broad.
ImpactAn attacker with access to the MCP server (via network exposure) can create, modify, or delete any CRM records, potentially causing data loss, data corruption, or unauthorized data manipulation. The lack of restrictions means any prompt can trigger destructive actions.
FixImplement access controls (e.g., read-only mode for certain users), add confirmation steps for destructive operations, and consider limiting the scope of operations based on user roles or API keys.