Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-63gr-g7jc-v8rg | @agenticmail/mcp Missing Authentication for Critical Function |
Mon, 15 Jun 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 12 Jun 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Agenticmail
Agenticmail agenticmail |
|
| Vendors & Products |
Agenticmail
Agenticmail agenticmail |
Fri, 12 Jun 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCP_HTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can initialize a session and call tools directly. This issue has been patched in version 0.9.27. | |
| Title | Missing Authentication for Critical Function in @agenticmail/mcp | |
| Weaknesses | CWE-306 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-15T18:18:24.876Z
Reserved: 2026-06-04T16:26:05.985Z
Link: CVE-2026-50287
Updated: 2026-06-15T18:18:11.986Z
Status : Deferred
Published: 2026-06-12T20:16:46.940
Modified: 2026-06-16T15:51:54.823
Link: CVE-2026-50287
No data.
OpenCVE Enrichment
Updated: 2026-06-12T20:30:06Z
Github GHSA