MCP-INDEX

AbhilashPoshanagari/openAi_MCP_servercritical

No description

This MCP server provides layout visualization (table, map, form, button, kanban), document retrieval, form management, object detection via WebRTC, an...

purpose: This MCP server provides layout visualization (tabthreat: network exposed

Python · ★ 0 · May 21, 2026 · ⚙ May 22, 2026 · GITHUB ↗

heuristic signalspostgres.access env.exposure filesystem.write aws.integration filesystem.read auth.none

RISK SCORE

0/ 100 risk

high findings+50

medium findings+15

critical findings+40

capped at100

VULNERABILITY ANALYSIS · 4 findings in 4 blocks3 HIGH · 1 MEDIUM

CRITICAL1 finding

tools/tools.py:185

185    async def databaseAccess(self, query: str, ctx: Context ) -> str:
186        ...
187        result = await ctx.elicit(
188            message=f"we need credentials to get access!",
189            schema=DatabaseDetails,
190        )
191        match result:
192            case AcceptedElicitation(data=data):
193                if data.username and data.password:
194                    database = PostgreSQL(
195                                host=data.host,
196                                port=data.port,
197                                user=data.username,
198                                password=data.password,
199                                database=data.database
200                            )
201                    try: 
202                        res = await self.executeQuery(defaultQuery=query, database=database, ctx=ctx)
203                    except Exception as e:
204                        res = "Error something went wrong"
205                    return res

rag_mcp_server.py:122→rag_mcp_server.py:19→tools/tools.py:14

// Network-exposed MCP server; any client can call this tool without authentication.

EXPLAINThe databaseAccess tool accepts arbitrary SQL queries from the user and executes them against a PostgreSQL database using credentials provided by the user. The tool's description explicitly states it converts natural language to SQL and executes it. While the tool elicits credentials, the query itself is not validated or restricted to read-only operations. An attacker could provide any SQL statement, including INSERT, UPDATE, DELETE, DROP, or other destructive commands. The tool is exposed over the network (host 0.0.0.0) and can be called by any client that can reach the MCP server.

IMPACTAn attacker could execute arbitrary SQL queries on any PostgreSQL database for which they can provide credentials. This includes data exfiltration, data destruction, privilege escalation, and potentially lateral movement to other systems if the database has network access.

FIXRestrict the databaseAccess tool to only allow SELECT queries. Implement a query parser or whitelist to reject any non-SELECT statements. Alternatively, remove the tool entirely if it is not part of the intended purpose.

HIGH1 finding

rag_mcp_server.py:265

265def generate_dynamic_form(
266    form_id: str = "e2f293e90000000000000000",
267    fieldOn_access_token: str = ""
268) -> Dict[str, Any]:
269    ...
270    form_schema_url = f"https://dev.mobile-springboard.digital.trccompanies.com/api/v1/forms/formSkeleton/{form_id}/null/True/null/null/null/null/64898d0cc2fd807b50602703/openform"
271    headers = {
272        "Content-Type": "application/json",
273        "Authorization": f"{fieldOn_access_token}",
274        "Accept": "application/json",
275    }
276    fieldOn_form = RestApiHelper.get_request(url=form_schema_url, headers=headers)

rag_mcp_server.py:122→rag_mcp_server.py:19→layoutSchema/api_calls.py (assumed)

// Network-exposed MCP server; tool is callable by any client.

EXPLAINThe generate_dynamic_form tool constructs a URL using the user-provided form_id parameter and makes an HTTP GET request to that URL. The form_id is directly interpolated into the URL without validation, allowing an attacker to control the path. Additionally, the fieldOn_access_token parameter is passed as an Authorization header, which could be used to access other endpoints if the token is valid. This is a server-side request forgery (SSRF) vulnerability because the server fetches a URL that the attacker can influence.

IMPACTAn attacker could make the server send HTTP requests to arbitrary internal or external hosts, potentially accessing internal services, cloud metadata endpoints, or other sensitive resources. The attacker could also use a valid access token to access other APIs.

FIXValidate the form_id parameter to ensure it matches an expected format (e.g., alphanumeric, specific length). Do not allow arbitrary path components. Consider using a whitelist of allowed form IDs or fetch the form schema from a controlled endpoint without user input in the URL.

HIGH1 finding

rag_mcp_server.py:448

448def button_layout_tool(
449    button_title: str,
450    link: str,
451    deeplink: str = ""
452) -> Dict[str, Any]:
453    ...
454    button_data = {
455        "title": button_title,
456        "link": link
457    }
458    
459    if deeplink:
460        button_data["deeplink"] = deeplink
461    
462    button_layout = {
463        "layouts": [{
464            "type": "button",
465            "data": button_data
466        }]
467    }
468    
469    return button_layout

rag_mcp_server.py:122

// Network-exposed MCP server; tool returns data that may be rendered by a client.

EXPLAINThe button_layout_tool accepts a 'link' parameter that is intended to be a URL. However, there is no validation or sanitization of this URL. An attacker could provide a malicious URL such as 'file:///etc/passwd', 'javascript:alert(1)', or a URL pointing to internal services. The tool returns this URL in the response, and if the client renders it as a clickable link, it could lead to SSRF, XSS, or other attacks.

IMPACTAn attacker could craft a button that, when clicked by a user, navigates to a malicious site, executes JavaScript, or accesses local files. If the client application does not properly sanitize URLs, this could lead to information disclosure or client-side attacks.

FIXValidate the 'link' parameter to ensure it is a safe URL (e.g., only https:// scheme, no file:// or javascript:). Consider using a URL parser and whitelist of allowed domains.

MEDIUM1 finding

rag_mcp_server.py:165

165def table_layout_tool(table_name: str, column_names: list[str], data: list[list[str]] ): 
166
167    table_data = TableFormat(table_name=table_name, column_names=column_names, data=data)
168    table_layout = {"layouts": [TableLayout(type="table",
169                               data= table_data)]
170                               }
171    return table_layout

rag_mcp_server.py:122

// Network-exposed MCP server; data may be rendered by a client.

EXPLAINThe table_layout_tool and map_layout_tool accept data from the LLM without any validation of the content. While this is somewhat expected for layout tools, the lack of input validation could allow an attacker to inject malicious content (e.g., XSS payloads in table data or map feature properties) that might be rendered unsafely by the client. The tool does not sanitize or escape the data before returning it.

IMPACTIf the client application renders the returned layout data without proper sanitization, an attacker could inject HTML/JavaScript, leading to cross-site scripting (XSS) or other client-side attacks.

FIXSanitize or escape all string data returned by these tools to prevent injection attacks. Ensure that the client application also properly sanitizes rendered content.

◷ 5/22/2026

Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.