{"uuid": "1841efc8-b80e-4689-8d50-8592f7382958", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-382C-VX95-W3P5", "type": "seen", "source": "https://gist.github.com/alon710/bf8c27e81f237e373da9208c021626d0", "content": "# GHSA-382C-VX95-W3P5: GHSA-382C-VX95-W3P5: Missing Access Control on Profile Endpoint and MCP Tool in Gittensory\n\n&gt; **CVSS Score:** 6.5\n&gt; **Published:** 2026-07-09\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-382C-VX95-W3P5\n\n## Summary\nAn insecure direct object reference (IDOR) and missing authorization validation check in the Gittensory REST API and Model Context Protocol (MCP) server allowed authenticated users to query arbitrary miner profiles, exposing sensitive cryptographic hotkeys and daily financial/economic yields.\n\n## TL;DR\nGittensory failed to validate contributor access permissions on its profile REST endpoint and Model Context Protocol tool, exposing cryptographic hotkeys and financial metrics to any authenticated user.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-284 / CWE-639\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 6.5\n- **EPSS Score**: Not Applicable (No CVE Assigned)\n- **Impact**: Confidentiality Leak (Cryptographic Hotkeys and Yield Data)\n- **Exploit Status**: PoC Available in Test Suite\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Gittensory REST API Server\n- @jsonbored/gittensory-mcp Daemon\n- **Gittensory**: &lt; Commit 811ef5fb9d748170011f8854d88c64627ad666a0 (Fixed in: `Commit 811ef5fb9d748170011f8854d88c64627ad666a0`)\n\n## Mitigation\n\n- Apply the fix committed in repository version 811ef5fb9d748170011f8854d88c64627ad666a0\n- Restrict REST API network access to authenticated corporate subnets or loopback interfaces\n- Restrict exposure of Model Context Protocol (MCP) server endpoints to trusted LLM client applications\n- Run the automated integration test suite to verify endpoint authorization restrictions\n\n**Remediation Steps:**\n1. Clone or pull the latest update from Gittensory source repository\n2. Apply the patch from commit 811ef5fb9d748170011f8854d88c64627ad666a0 to local branches\n3. Recompile the server code and run the node package manager dependency builders\n4. Restart the Gittensory API service and the daemon hosting the MCP servers\n5. Execute the integrated test suite using npm test to confirm the profile endpoint rejects unauthorized requests\n\n## References\n\n- [GitHub Advisory: Missing contributor-scoped access control on profile endpoint and MCP tool](https://github.com/advisories/GHSA-382C-VX95-W3P5)\n- [Gittensory Official Repository](https://github.com/JSONbored/gittensory)\n- [Official Patch Commit](https://github.com/JSONbored/gittensory/commit/811ef5fb9d748170011f8854d88c64627ad666a0)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-382C-VX95-W3P5) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-09T14:11:44.154387Z"}