{"id":81296,"date":"2026-06-30T22:46:25","date_gmt":"2026-06-30T19:16:25","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-7663-unauthenticated-cross-user-mcp-resource-access-and-tool-execution-via-streamable-transport-authorization-bypass\/"},"modified":"2026-06-30T22:46:25","modified_gmt":"2026-06-30T19:16:25","slug":"cve-2026-7663-unauthenticated-cross-user-mcp-resource-access-and-tool-execution-via-streamable-transport-authorization-bypass","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-7663-unauthenticated-cross-user-mcp-resource-access-and-tool-execution-via-streamable-transport-authorization-bypass\/","title":{"rendered":"CVE-2026-7663 &#8211; Unauthenticated Cross-User MCP Resource Access and Tool Execution via Streamable Transport Authorization Bypass"},"content":{"rendered":"<p>CVE ID :CVE-2026-7663<\/p>\n<p>  Published : June 30, 2026, 7:16 p.m. | 29\u00a0minutes ago<\/p>\n<p>  Description :IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.<\/p>\n<p>  Severity: 9.1 | CRITICAL<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-7663 Published : June 30, 2026, 7:16 p.m. | 29\u00a0minutes ago Description :IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint. Severity: 9.1 | CRITICAL Visit the link for more details, &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-81296","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=81296"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81296\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=81296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=81296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=81296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}