BACK TO SEARCH
mcpflow/Fujitsu-AI_MCP-Server-for-MAS-Developmentscritical
Mirror of https://github.com/Fujitsu-AI/MCP-Server-for-MAS-Developments
This MCP server provides a privateGPT-based agent that integrates with MCP clients to offer secure, authenticated chat and RAG (Retrieval-Augmented Ge...
purpose: This MCP server provides a privateGPT-based agent threat: network exposed
★ 0 · May 21, 2026 · ⚙ May 21, 2026 · GITHUB ↗
RISK SCORE
0/ 100 risk
low findings+5
high findings+100
medium findings+75
capped at100
VULNERABILITY ANALYSIS · 10 findings in 10 blocks4 HIGH · 5 MEDIUM
HIGH1 finding
clients/Gradio/mcp_servers/sqlite/src/mcp_server_sqlite/server.py:349
349 elif name == "write_query":
350 if arguments["query"].strip().upper().startswith("SELECT"):
351 raise ValueError("SELECT queries are not allowed for write_query")
352 results = db._execute_query(arguments["query"])
353 return [types.TextContent(type="text", text=str(results))]clients/Gradio/main.py:18→clients/Gradio/mcp_client.py:133→clients/Gradio/mcp_servers/sqlite/src/mcp_server_sqlite/server.py:349
// Exploitable if an attacker can influence the LLM's tool selection, e.g., via prompt injection or if the LLM is compromised.
EXPLAINThe write_query tool executes arbitrary INSERT, UPDATE, or DELETE SQL queries without authentication. An attacker who can influence the LLM can modify or delete data in the SQLite database, potentially causing data loss or corruption.
IMPACTAn attacker could delete tables, modify records, or insert malicious data, leading to data integrity issues or denial of service.
FIXImplement authentication and authorization for write operations. Consider restricting write queries to predefined operations or requiring user confirmation.
HIGH1 finding
clients/Gradio/mcp_servers/sqlite/src/mcp_server_sqlite/server.py:355
355 elif name == "create_table":
356 if not arguments["query"].strip().upper().startswith("CREATE TABLE"):
357 raise ValueError("Only CREATE TABLE statements are allowed")
358 db._execute_query(arguments["query"])
359 return [types.TextContent(type="text", text="Table created successfully")]clients/Gradio/main.py:18→clients/Gradio/mcp_client.py:133→clients/Gradio/mcp_servers/sqlite/src/mcp_server_sqlite/server.py:355
// Exploitable if an attacker can influence the LLM's tool selection, e.g., via prompt injection or if the LLM is compromised.
EXPLAINThe create_table tool executes arbitrary CREATE TABLE SQL statements without authentication. An attacker can create tables, potentially filling the database or creating tables with malicious triggers.
IMPACTAn attacker could create tables that consume disk space or contain triggers that execute malicious SQL, leading to resource exhaustion or further exploitation.
FIXImplement authentication and authorization for table creation. Consider restricting table creation to specific schemas or requiring user confirmation.
HIGH1 finding
clients/Gradio/mcp_servers/filesystem/index.ts:482
482 case "write_file": {
483 const parsed = WriteFileArgsSchema.safeParse(args);
484 if (!parsed.success) {
485 throw new Error(`Invalid arguments for write_file: ${parsed.error}`);
486 }
487 const validPath = await validatePath(parsed.data.path);
488 await fs.writeFile(validPath, parsed.data.content, "utf-8");
489 return {
490 content: [{ type: "text", text: `Successfully wrote to ${parsed.data.path}` }],
491 };
492 }clients/Gradio/main.py:18→clients/Gradio/mcp_client.py:133→clients/Gradio/mcp_servers/filesystem/index.ts:482
// Exploitable if an attacker can influence the LLM's tool selection, e.g., via prompt injection or if the LLM is compromised.
EXPLAINThe write_file tool accepts a path and content from the LLM and writes to the filesystem without any authentication or authorization beyond the path validation. Since the MCP server is network-exposed, an attacker who can send prompts to the LLM can write arbitrary files to any allowed directory, potentially overwriting critical files or planting malicious content.
IMPACTAn attacker could overwrite configuration files, inject malicious scripts, or corrupt data within the allowed directories. This could lead to code execution if the written file is executed (e.g., a shell script) or cause denial of service.
FIXImplement authentication and authorization for write operations. Consider requiring explicit user confirmation for write operations or restricting write capabilities to a dedicated subdirectory.
HIGH1 finding
clients/Gradio/mcp_servers/filesystem/index.ts:448
448 case "read_file": {
449 const parsed = ReadFileArgsSchema.safeParse(args);
450 if (!parsed.success) {
451 throw new Error(`Invalid arguments for read_file: ${parsed.error}`);
452 }
453 const validPath = await validatePath(parsed.data.path);
454 const content = await fs.readFile(validPath, "utf-8");
455 return {
456 content: [{ type: "text", text: content }],
457 };
458 }clients/Gradio/main.py:18→clients/Gradio/mcp_client.py:133→clients/Gradio/mcp_servers/filesystem/index.ts:448
// Exploitable if an attacker can influence the LLM's tool selection, e.g., via prompt injection or if the LLM is compromised.
EXPLAINThe read_file tool accepts a path from the LLM and reads the file contents without any authentication. An attacker who can influence the LLM can read any file within the allowed directories, potentially accessing sensitive data.
IMPACTAn attacker could read sensitive files such as configuration files, credentials, or proprietary data stored in allowed directories.
FIXImplement authentication and authorization for read operations. Consider restricting read access to specific files or requiring user consent.
MEDIUM1 finding
clients/Gradio/main.py:133
133 get_local_storage = """
134 function() {
135 globalThis.setStorage = (key, value)=>{
136 localStorage.setItem(key, JSON.stringify(value))
137 }
138 globalThis.getStorage = (key, value)=>{
139 return JSON.parse(localStorage.getItem(key))
140 }
141 const username_input = getStorage('login')
142 const password_input = getStorage('password')
143 return [username_input, password_input];
144 }
145 """clients/Gradio/main.py:133
// Exploitable if the web application is vulnerable to XSS or if an attacker has access to the client machine.
EXPLAINThe application stores user credentials (username and password) in the browser's local storage. Local storage is accessible to any JavaScript running on the same origin, making credentials vulnerable to XSS attacks. Additionally, the password is stored in plaintext.
IMPACTAn attacker who can execute JavaScript in the same origin (e.g., via XSS) can steal stored credentials. This could lead to account takeover.
FIXAvoid storing credentials in local storage. Use secure, HttpOnly cookies for session management. If storage is necessary, use a more secure mechanism like the Credential Management API.
MEDIUM1 finding
clients/Gradio/mcp_servers/sqlite/src/mcp_server_sqlite/server.py:320
320 elif name == "describe_table":
321 if not arguments or "table_name" not in arguments:
322 raise ValueError("Missing table_name argument")
323 results = db._execute_query(
324 f"PRAGMA table_info({arguments['table_name']})"
325 )clients/Gradio/main.py:18→clients/Gradio/mcp_client.py:133→clients/Gradio/mcp_servers/sqlite/src/mcp_server_sqlite/server.py:320
// Exploitable if an attacker can influence the LLM's tool arguments, e.g., via prompt injection or if the LLM is compromised.
EXPLAINThe table_name argument is directly interpolated into the SQL query without sanitization or parameterization. Although PRAGMA table_info is a read-only operation, an attacker could inject SQL that modifies the database or extracts data via error messages or side channels.
IMPACTAn attacker could potentially execute arbitrary SQL by providing a malicious table_name, such as 'users; DROP TABLE users; --'. This could lead to data loss or unauthorized data access.
FIXUse parameterized queries or validate that table_name is a valid table name (e.g., using a whitelist of existing tables).
MEDIUM1 finding
clients/Gradio/mcp_servers/filesystem/index.ts:334
334server.setRequestHandler(ListToolsRequestSchema, async () => {
335 return {
336 tools: [
337 {
338 name: "read_file",
339 ...
340 },
341 {
342 name: "write_file",
343 ...
344 },
345 ...
346 ],
347 };
348});clients/Gradio/main.py:18→clients/Gradio/mcp_client.py:133→clients/Gradio/mcp_servers/filesystem/index.ts:334
// Exploitable if an attacker can influence the LLM's tool selection, e.g., via prompt injection or if the LLM is compromised.
EXPLAINThe filesystem server exposes a comprehensive set of file operations (read, write, edit, move, delete, search) to the LLM without any user confirmation or approval step. This means the LLM can autonomously perform destructive actions based solely on a user prompt, which is excessive for the intended purpose of a chat assistant.
IMPACTAn attacker who can influence the LLM (e.g., via prompt injection) can perform arbitrary file operations within allowed directories without any user oversight, leading to data loss or unauthorized modifications.
FIXImplement a confirmation mechanism for destructive operations (write, edit, move, delete). Consider requiring user approval before executing such actions.
MEDIUM1 finding
clients/Gradio/mcp_servers/sqlite/src/mcp_server_sqlite/server.py:239
239 @server.list_tools()
240 async def handle_list_tools() -> list[types.Tool]:
241 """List available tools"""
242 return [
243 types.Tool(
244 name="read_query",
245 ...
246 ),
247 types.Tool(
248 name="write_query",
249 ...
250 ),
251 types.Tool(
252 name="create_table",
253 ...
254 ),
255 ...
256 ]clients/Gradio/main.py:18→clients/Gradio/mcp_client.py:133→clients/Gradio/mcp_servers/sqlite/src/mcp_server_sqlite/server.py:239
// Exploitable if an attacker can influence the LLM's tool selection, e.g., via prompt injection or if the LLM is compromised.
EXPLAINThe SQLite server exposes write operations (write_query, create_table) to the LLM without any user confirmation. This allows the LLM to autonomously modify the database structure and data, which is excessive for a chat assistant's intended purpose.
IMPACTAn attacker who can influence the LLM can modify or delete database content without user oversight, leading to data integrity issues.
FIXImplement a confirmation mechanism for write operations. Consider requiring user approval before executing INSERT, UPDATE, DELETE, or CREATE TABLE statements.
MEDIUM1 finding
clients/Gradio/main.py:41
41 vllm_url = config.get("vllm_url", "")
42 vllm_api_key = config.get("vllm_api_key", "")clients/Gradio/main.py:41
// Exploitable if an attacker gains access to the server's filesystem or network traffic.
EXPLAINThe vllm_url and vllm_api_key are loaded from a configuration file and used in the client. If the configuration file is accessible or the values are exposed in logs or error messages, the API key could be leaked. Additionally, the API key is passed to the OpenAI client and used in HTTP headers, which could be intercepted if not using HTTPS.
IMPACTAn attacker who obtains the API key could use the vLLM service, potentially incurring costs or accessing sensitive data.
FIXEnsure the configuration file has restricted permissions. Use environment variables instead of config files. Ensure all communications use HTTPS (verify=True).
LOW1 finding
clients/Gradio/main.py:200
200 client = OpenAI(
201 base_url=vllm_url,
202 api_key=vllm_api_key,
203 http_client=httpx.Client(verify=False)
204 )clients/Gradio/main.py:200
// Exploitable if an attacker can perform a man-in-the-middle attack on the network between the client and the vLLM server.
EXPLAINThe HTTP client is configured with verify=False, disabling SSL certificate verification. This makes the connection vulnerable to man-in-the-middle attacks, allowing an attacker to intercept or modify requests to the vLLM API.
IMPACTAn attacker on the network could intercept API requests, steal the API key, or inject malicious responses, leading to arbitrary code execution or data leakage.
FIXEnable SSL verification by removing verify=False or setting it to True. Ensure proper certificate validation.
◷ 5/21/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.