Open
Conversation
Contributor
🧪 BenchmarkShould we run the Virtual MCP strategy benchmark for this PR? React with 👍 to run the benchmark.
Benchmark will run on the next push after you react. |
Contributor
Release OptionsShould a new version be published when this PR is merged? React with an emoji to vote on the release type:
Current version: Deployment
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
viktormarinho
approved these changes
Feb 20, 2026
Contributor
|
@0xcucumbersalad plz fix checks and also check if this also handles IDOR for users that are logged in but hijacking another org's mcps? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix: Authorization Vulnerability in OAuth Proxy Endpoint
What is this contribution about?
Endpoint:
ALL /oauth-proxy/:connectionId/*This PR fixes a critical authorization vulnerability where unauthenticated attackers could hijack OAuth authorization flows for any connection across organizations.
The issue allowed malicious actors to initiate or manipulate OAuth flows without proper authentication or ownership validation of the
connectionId.This update ensures:
Summary by cubic
Enforce authentication and organization ownership checks on all /oauth-proxy/:connectionId/* endpoints to block cross‑org OAuth hijacking. Adds E2E coverage for 401, 403, and 404 behaviors across authorize, token, and register flows.
Written for commit e88cda5. Summary will update on new commits.