Missing Authentication for Critical Function Affecting camofox-mcp package, versions <1.13.2


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Missing Authentication for Critical Function vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-CAMOFOXMCP-17755176
  • published1 Jul 2026
  • disclosed19 May 2026
  • creditUnknown

Introduced: 19 May 2026

CVE NOT AVAILABLE CWE-306  (opens in a new tab)

How to fix?

Upgrade camofox-mcp to version 1.13.2 or higher.

Overview

camofox-mcp is an Anti-detection browser MCP server for AI agents — navigate, interact, and automate the web without getting blocked

Affected versions of this package are vulnerable to Missing Authentication for Critical Function through the /mcp handler in src/http.ts. An attacker can list and invoke browser-control tools by sending requests to the MCP endpoint without any inbound API key or authorization header. When HTTP mode is exposed beyond local loopback bind, the server accepts those requests and forwards the resulting tool calls to the backend browser service using the server-side CAMOFOX_API_KEY if configured. This allows an unauthenticated client to drive browser actions such as tab creation, navigation, and interactions with authenticated browser contexts, undermining the intended control plane for anyone who can reach /mcp.

CVSS Base Scores

version 4.0
version 3.1