agent-threat-rules 3.4.0 → 3.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +65 -29
- package/dist/cli.js +23 -0
- package/dist/cli.js.map +1 -1
- package/dist/engine.d.ts +37 -2
- package/dist/engine.d.ts.map +1 -1
- package/dist/engine.js +99 -44
- package/dist/engine.js.map +1 -1
- package/dist/loader.d.ts.map +1 -1
- package/dist/loader.js +6 -0
- package/dist/loader.js.map +1 -1
- package/dist/quality/rule-contract.d.ts +65 -0
- package/dist/quality/rule-contract.d.ts.map +1 -0
- package/dist/quality/rule-contract.js +97 -0
- package/dist/quality/rule-contract.js.map +1 -0
- package/dist/trace-evaluator.d.ts.map +1 -1
- package/dist/trace-evaluator.js +58 -20
- package/dist/trace-evaluator.js.map +1 -1
- package/dist/types.d.ts +2 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +2 -2
- package/rules/agent-manipulation/ATR-2026-00030-cross-agent-attack.yaml +2 -1
- package/rules/agent-manipulation/ATR-2026-00032-goal-hijacking.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00074-cross-agent-privilege-escalation.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00076-inter-agent-message-spoofing.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00077-human-trust-exploitation.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00117-agent-identity-spoofing.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00416-litellm-mcp-unauthenticated-server-registration.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00417-librechat-mcp-stdio-injection.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00418-weknora-mcp-config-rce.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00430-nl-trust-escalation-impersonation.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00552-goal-drift-after-pressure-injection.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00020-system-prompt-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00075-agent-memory-manipulation.yaml +1 -0
- package/rules/context-exfiltration/ATR-2026-00162-skill-credential-exfil-combo.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00201-credential-pipe-exfiltration.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00212-mcp-atlassian-credential-leak.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00422-nl-credential-disclosure.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00423-nl-sensitive-file-disclosure.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00426-nl-output-injection-credential-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00449-spring-ai-chatmemory-cross-user-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00471-garak-sysprompt-extraction-mixedunassigned.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00501-data-exfiltration-via-markdown-image-and-link-url-injection.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00504-tool-and-function-capability-enumeration.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00505-system-prompt-extraction-instruction-dump-request.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00514-system-prompt-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00516-output-xss-via-llm.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00524-claude-code-anthropic-base-url-credential-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00548-cross-agent-session-context-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00578-zen-mcp-path-traversal-blacklist-bypass.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00580-mcp-session-id-token-in-url-query.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00583-mcp-env-secret-file-read-without-consent.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00706-ipi-physical-biometric-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00850-indirect-pi-credential-exfil-email.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00851-indirect-pi-financial-payment-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00852-indirect-pi-medical-record-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00853-indirect-pi-genetic-data-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00854-indirect-pi-location-data-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00855-indirect-pi-browsing-history-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00856-indirect-pi-address-pii-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00857-indirect-pi-cloud-file-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00858-indirect-pi-exfil-and-destroy.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00859-rag-injected-pii-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00860-indirect-pi-financial-transfer-hijack.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00861-indirect-pi-crypto-transfer-hijack.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00862-indirect-pi-mfa-code-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01453-markdown-image-base64-exfil-carrier.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01454-direct-markdown-exfil-payload.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01456-debug-cli-mode-sysprompt-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01457-sysprompt-completion-clone-attack.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01458-compare-bots-sysprompt-fishing.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01459-variable-clone-sysprompt-technique.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01460-json-format-sysprompt-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01461-foreign-language-sysprompt-request.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01753-ransom-email-exfil-delete-extortion.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01754-ransom-file-cloud-exfil-delete-extortion.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01770-semantic-pii-credential-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01772-semantic-internal-state-recon.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-01807-asb-bulk-data-exfil-external.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01929-mcp-unauthenticated-transport-token-fallback.yaml +188 -0
- package/rules/data-poisoning/ATR-2026-00070-data-poisoning.yaml +1 -1
- package/rules/data-poisoning/ATR-2026-00570-sql-injection-in-agent-tool-query.yaml +1 -1
- package/rules/data-poisoning/ATR-2026-01774-semantic-rag-memory-poisoning.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00050-runaway-agent-loop.yaml +2 -2
- package/rules/excessive-autonomy/ATR-2026-00051-resource-exhaustion.yaml +3 -3
- package/rules/excessive-autonomy/ATR-2026-00052-cascading-failure.yaml +2 -2
- package/rules/excessive-autonomy/ATR-2026-00098-unauthorized-financial-action.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00099-high-risk-tool-gate.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00428-nl-unauthorized-shell-execution.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00491-garak-agent-breaker-markdown-just-raw-json.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00500-ssrf-via-agent-url-fetch-instruction.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00711-ipi-system-sabotage-destructive-command.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00712-ipi-malicious-package-install.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00713-ipi-rce-network-shell-command.yaml +1 -1
- package/rules/model-abuse/ATR-2026-00413-malwaregen-code-generation-request.yaml +3 -2
- package/rules/model-abuse/ATR-2026-00502-training-data-extraction-via-divergent-repetition-attack.yaml +1 -1
- package/rules/model-abuse/ATR-2026-00517-model-extraction-distillation.yaml +1 -1
- package/rules/model-abuse/ATR-2026-01750-dos-repeat-word-n-times-output-amplification.yaml +2 -2
- package/rules/model-abuse/ATR-2026-01760-dos-forced-infinite-output-token-flood.yaml +2 -2
- package/rules/model-abuse/ATR-2026-01841-deepfake-disinformation.yaml +1 -1
- package/rules/model-security/ATR-2026-00072-model-behavior-extraction.yaml +2 -2
- package/rules/model-security/ATR-2026-00073-malicious-finetuning-data.yaml +1 -1
- package/rules/model-security/ATR-2026-00433-modelcache-torch-load-deserialization-rce.yaml +2 -2
- package/rules/privilege-escalation/ATR-2026-00041-scope-creep.yaml +1 -1
- package/rules/privilege-escalation/ATR-2026-00436-enclave-vm-sandbox-escape-rce.yaml +1 -0
- package/rules/privilege-escalation/ATR-2026-00451-litellm-admin-sqli-cisa-kev.yaml +1 -1
- package/rules/privilege-escalation/ATR-2026-00539-crewai-codeinterpreter-sandbox-escape-rce.yaml +1 -0
- package/rules/privilege-escalation/ATR-2026-00549-destructive-tool-without-human-approval.yaml +1 -1
- package/rules/privilege-escalation/ATR-2026-00551-cross-conversation-memory-write.yaml +2 -3
- package/rules/privilege-escalation/ATR-2026-01615-sandbox-escape-command-injection.yaml +1 -0
- package/rules/privilege-escalation/ATR-2026-01899-remote-access-backdoor.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00001-direct-prompt-injection.yaml +1 -0
- package/rules/prompt-injection/ATR-2026-00002-indirect-prompt-injection.yaml +1 -0
- package/rules/prompt-injection/ATR-2026-00003-jailbreak-attempt.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml +11 -2
- package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00104-persona-hijacking.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00203-context-pollution-skill-description.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml +10 -10
- package/rules/prompt-injection/ATR-2026-00297-python-code-execution-rce.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00420-copilot-studio-sharepoint-indirect-injection.yaml +3 -3
- package/rules/prompt-injection/ATR-2026-00442-quoted-exact-output-forcing.yaml +1 -0
- package/rules/prompt-injection/ATR-2026-00445-translation-hijack-with-side-output.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00447-fictional-generation-containing-target.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00452-direct-pwned-payload-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00453-secret-key-reveal-demand.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00454-backslash-per-character-encoding.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00456-conditional-empty-input-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00465-garak-dan-your-prompt-here.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00472-garak-dan-are-going-to.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00485-garak-dan-and-does-not.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00492-garak-dan-want-you-to.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00495-garak-dan-insert-prompt-here.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00510-delayed-tool-invocation-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00550-untrusted-retrieval-to-privileged-tool.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00579-mcp-tool-description-line-jumping-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00584-indirect-injection-via-tool-response.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01018-evasion-shell-injection-eval.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01021-spikee-doc-embedded-translation-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01304-indirect-injection-carrier-important-override.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01800-asb-trigger-marker-tool-coercion.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01901-output-scrambling.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00060-skill-impersonation.yaml +2 -1
- package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml +2 -1
- package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml +2 -1
- package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00149-skill-exfil-compound.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00151-fork-impersonation-install.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00200-agent-memory-config-tampering.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00214-credential-theft.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00260-package-hallucination.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00262-av-evasion-code-gen.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00263-credential-file-read-gen.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00266-malware-dropper-gen.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00398-huggingface-unsafe-model-artifact-load.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00425-nl-persistent-covert-hook.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00427-nl-fake-error-instruction-bypass.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00429-nl-skill-self-modification.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00523-claude-code-hooks-session-start-pre-trust-rce.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00525-mini-shai-hulud-gh-token-monitor-persistence.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00527-skill-silent-git-remote-mirror-exfiltration.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-01755-backdoor-pot-linguistic-trigger-phrase.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-01756-backdoor-pot-symbol-emoticon-trigger.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00010-mcp-malicious-response.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00011-tool-output-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00012-unauthorized-tool-call.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00100-consent-bypass-instruction.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00101-trust-escalation-override.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00103-hidden-safety-bypass-instruction.yaml +2 -1
- package/rules/tool-poisoning/ATR-2026-00105-silent-action-concealment.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00106-schema-description-contradiction.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00161-important-tag-cross-tool-shadowing.yaml +3 -2
- package/rules/tool-poisoning/ATR-2026-00209-mcpwn-runaway-invocation.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00210-flowise-system-message-override.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00415-flowise-custom-mcp-stdio-rce.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00419-cursor-mcp-zero-click-config.yaml +7 -3
- package/rules/tool-poisoning/ATR-2026-00434-mcp-remote-authorization-endpoint-command-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00435-azure-mcp-server-missing-authentication.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00494-garak-exploitation-mixedunassigned.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00513-package-hallucination-exploitation.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00521-shell-command-injection-agent-tool-context.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00522-sql-injection-natural-language-agent-interface.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00526-claude-code-shell-metachar-in-double-quoted-path.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00530-ms-agent-shell-tool-unsanitized-argv-rce.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00531-praisonai-unauthenticated-agent-api.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00536-nginx-ui-mcp-unauthenticated-command-execution.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00537-fastmcp-server-name-cmd-injection-windows.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00538-langchain-chatchat-mcp-stdio-unauthenticated-rce.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00540-praisonai-parse-mcp-command-cli-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00543-litellm-mcp-server-argv-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00572-symjack-symlink-config-redirection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00575-miasma-npm-worm-agent-config-backdoor.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00576-hades-agent-credential-theft.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00577-create-mcp-server-stdio-exec-command-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00581-mcp-tool-rug-pull-post-approval-redefinition.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01300-mcp-notes-param-chat-history-exfil.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01301-tool-description-exclusive-tool-override.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01302-fake-tool-result-instruction-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01303-tool-schema-enumeration-social-engineering.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01306-mcp-oauth-command-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01307-mcp-dns-rebinding-attack.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01310-mcp-tool-description-compliance-history-exfil.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01775-semantic-mcp-tool-manifest-poisoning.yaml +4 -3
- package/rules/tool-poisoning/ATR-2026-01927-mcp-server-kubernetes-kubectl-command-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01928-framelink-figma-mcp-curl-fallback-command-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01930-mcp-sampling-prompt-injection.yaml +188 -0
- package/rules/tool-poisoning/ATR-2026-01931-gemini-mcp-tool-command-injection-file-exfil.yaml +169 -0
- package/rules/tool-poisoning/ATR-2026-01932-shadow-undeclared-mcp-server-registration.yaml +160 -0
- package/spec/mappings/atr-to-nist-csf-2.0.md +11 -11
|
@@ -43,8 +43,8 @@ references:
|
|
|
43
43
|
- "ASI04:2026 - Supply Chain"
|
|
44
44
|
- "ASI09:2026 - Identity Spoofing and Impersonation"
|
|
45
45
|
mitre_atlas:
|
|
46
|
-
- "AML.T0010 -
|
|
47
|
-
- "AML.T0024 - Exfiltration via
|
|
46
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
47
|
+
- "AML.T0024 - Exfiltration via AI Inference API"
|
|
48
48
|
- "AML.T0055 - Unsecured Credentials"
|
|
49
49
|
mitre_attack:
|
|
50
50
|
- "T1552 - Unsecured Credentials"
|
|
@@ -34,7 +34,7 @@ references:
|
|
|
34
34
|
- "ASI03:2026 - Data Exfiltration"
|
|
35
35
|
- "ASI06:2026 - Identity Spoofing & Impersonation"
|
|
36
36
|
mitre_atlas:
|
|
37
|
-
- "AML.T0024 - Exfiltration via
|
|
37
|
+
- "AML.T0024 - Exfiltration via AI Inference API"
|
|
38
38
|
research:
|
|
39
39
|
- "Argus: Hierarchical Reference-Relationship Graph for Multi-Agent Information Leakage (arXiv:2512.08326)"
|
|
40
40
|
- "Compositional Privacy Risks in Multi-Agent Systems (arXiv:2509.14284)"
|
|
@@ -35,7 +35,7 @@ references:
|
|
|
35
35
|
- "ASI06:2026 - Memory and Context Poisoning"
|
|
36
36
|
mitre_atlas:
|
|
37
37
|
- "AML.T0057 - LLM Data Leakage"
|
|
38
|
-
- "AML.T0056 - LLM
|
|
38
|
+
- "AML.T0056 - Extract LLM System Prompt"
|
|
39
39
|
vulnerablemcp_id:
|
|
40
40
|
- session-ids-exposed-in-urls
|
|
41
41
|
external:
|
|
@@ -15,7 +15,7 @@ author: "ATR Community"
|
|
|
15
15
|
date: "2026/06/12"
|
|
16
16
|
schema_version: "0.1"
|
|
17
17
|
detection_tier: pattern
|
|
18
|
-
maturity:
|
|
18
|
+
maturity: stable
|
|
19
19
|
severity: critical
|
|
20
20
|
|
|
21
21
|
references:
|
|
@@ -26,7 +26,7 @@ references:
|
|
|
26
26
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
27
27
|
- "ASI03:2026 - Tool Misuse"
|
|
28
28
|
mitre_atlas:
|
|
29
|
-
- "AML.T0051.001 - Indirect
|
|
29
|
+
- "AML.T0051.001 - Indirect"
|
|
30
30
|
- "AML.T0057 - LLM Data Leakage"
|
|
31
31
|
research:
|
|
32
32
|
- "https://github.com/CUA-Framework/VPIBench"
|
|
@@ -15,7 +15,7 @@ author: "ATR Community"
|
|
|
15
15
|
date: "2026/06/12"
|
|
16
16
|
schema_version: "0.1"
|
|
17
17
|
detection_tier: pattern
|
|
18
|
-
maturity:
|
|
18
|
+
maturity: stable
|
|
19
19
|
severity: critical
|
|
20
20
|
|
|
21
21
|
references:
|
|
@@ -26,7 +26,7 @@ references:
|
|
|
26
26
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
27
27
|
- "ASI03:2026 - Tool Misuse"
|
|
28
28
|
mitre_atlas:
|
|
29
|
-
- "AML.T0051.001 - Indirect
|
|
29
|
+
- "AML.T0051.001 - Indirect"
|
|
30
30
|
- "AML.T0057 - LLM Data Leakage"
|
|
31
31
|
research:
|
|
32
32
|
- "https://github.com/CUA-Framework/VPIBench"
|
|
@@ -15,7 +15,7 @@ author: "ATR Community"
|
|
|
15
15
|
date: "2026/06/12"
|
|
16
16
|
schema_version: "0.1"
|
|
17
17
|
detection_tier: pattern
|
|
18
|
-
maturity:
|
|
18
|
+
maturity: stable
|
|
19
19
|
severity: critical
|
|
20
20
|
|
|
21
21
|
references:
|
|
@@ -26,7 +26,7 @@ references:
|
|
|
26
26
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
27
27
|
- "ASI03:2026 - Tool Misuse"
|
|
28
28
|
mitre_atlas:
|
|
29
|
-
- "AML.T0051.001 - Indirect
|
|
29
|
+
- "AML.T0051.001 - Indirect"
|
|
30
30
|
- "AML.T0057 - LLM Data Leakage"
|
|
31
31
|
research:
|
|
32
32
|
- "https://github.com/CUA-Framework/VPIBench"
|
|
@@ -15,7 +15,7 @@ author: "ATR Community"
|
|
|
15
15
|
date: "2026/06/12"
|
|
16
16
|
schema_version: "0.1"
|
|
17
17
|
detection_tier: pattern
|
|
18
|
-
maturity:
|
|
18
|
+
maturity: stable
|
|
19
19
|
severity: critical
|
|
20
20
|
|
|
21
21
|
references:
|
|
@@ -26,7 +26,7 @@ references:
|
|
|
26
26
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
27
27
|
- "ASI03:2026 - Tool Misuse"
|
|
28
28
|
mitre_atlas:
|
|
29
|
-
- "AML.T0051.001 - Indirect
|
|
29
|
+
- "AML.T0051.001 - Indirect"
|
|
30
30
|
- "AML.T0057 - LLM Data Leakage"
|
|
31
31
|
research:
|
|
32
32
|
- "https://github.com/CUA-Framework/VPIBench"
|
|
@@ -26,7 +26,7 @@ references:
|
|
|
26
26
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
27
27
|
- "ASI03:2026 - Tool Misuse"
|
|
28
28
|
mitre_atlas:
|
|
29
|
-
- "AML.T0051.001 - Indirect
|
|
29
|
+
- "AML.T0051.001 - Indirect"
|
|
30
30
|
- "AML.T0057 - LLM Data Leakage"
|
|
31
31
|
research:
|
|
32
32
|
- "https://github.com/CUA-Framework/VPIBench"
|
|
@@ -14,7 +14,7 @@ author: "ATR Community"
|
|
|
14
14
|
date: "2026/06/12"
|
|
15
15
|
schema_version: "0.1"
|
|
16
16
|
detection_tier: pattern
|
|
17
|
-
maturity:
|
|
17
|
+
maturity: stable
|
|
18
18
|
severity: high
|
|
19
19
|
|
|
20
20
|
references:
|
|
@@ -25,7 +25,7 @@ references:
|
|
|
25
25
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
26
26
|
- "ASI03:2026 - Tool Misuse"
|
|
27
27
|
mitre_atlas:
|
|
28
|
-
- "AML.T0051.001 - Indirect
|
|
28
|
+
- "AML.T0051.001 - Indirect"
|
|
29
29
|
- "AML.T0057 - LLM Data Leakage"
|
|
30
30
|
research:
|
|
31
31
|
- "https://github.com/CUA-Framework/VPIBench"
|
|
@@ -14,7 +14,7 @@ author: "ATR Community"
|
|
|
14
14
|
date: "2026/06/12"
|
|
15
15
|
schema_version: "0.1"
|
|
16
16
|
detection_tier: pattern
|
|
17
|
-
maturity:
|
|
17
|
+
maturity: stable
|
|
18
18
|
severity: high
|
|
19
19
|
|
|
20
20
|
references:
|
|
@@ -25,7 +25,7 @@ references:
|
|
|
25
25
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
26
26
|
- "ASI03:2026 - Tool Misuse"
|
|
27
27
|
mitre_atlas:
|
|
28
|
-
- "AML.T0051.001 - Indirect
|
|
28
|
+
- "AML.T0051.001 - Indirect"
|
|
29
29
|
- "AML.T0057 - LLM Data Leakage"
|
|
30
30
|
research:
|
|
31
31
|
- "https://github.com/CUA-Framework/VPIBench"
|
|
@@ -26,7 +26,7 @@ references:
|
|
|
26
26
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
27
27
|
- "ASI03:2026 - Tool Misuse"
|
|
28
28
|
mitre_atlas:
|
|
29
|
-
- "AML.T0051.001 - Indirect
|
|
29
|
+
- "AML.T0051.001 - Indirect"
|
|
30
30
|
- "AML.T0057 - LLM Data Leakage"
|
|
31
31
|
research:
|
|
32
32
|
- "https://github.com/CUA-Framework/VPIBench"
|
|
@@ -27,7 +27,7 @@ references:
|
|
|
27
27
|
- "ASI03:2026 - Tool Misuse"
|
|
28
28
|
- "ASI09:2026 - Destructive Agent Behavior"
|
|
29
29
|
mitre_atlas:
|
|
30
|
-
- "AML.T0051.001 - Indirect
|
|
30
|
+
- "AML.T0051.001 - Indirect"
|
|
31
31
|
- "AML.T0057 - LLM Data Leakage"
|
|
32
32
|
mitre_attack:
|
|
33
33
|
- "T1485 - Data Destruction"
|
|
@@ -27,7 +27,7 @@ references:
|
|
|
27
27
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
28
28
|
- "ASI03:2026 - Tool Misuse"
|
|
29
29
|
mitre_atlas:
|
|
30
|
-
- "AML.T0051.001 - Indirect
|
|
30
|
+
- "AML.T0051.001 - Indirect"
|
|
31
31
|
- "AML.T0057 - LLM Data Leakage"
|
|
32
32
|
research:
|
|
33
33
|
- "https://arxiv.org/abs/2403.02691"
|
|
@@ -27,7 +27,7 @@ references:
|
|
|
27
27
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
28
28
|
- "ASI03:2026 - Tool Misuse"
|
|
29
29
|
mitre_atlas:
|
|
30
|
-
- "AML.T0051.001 - Indirect
|
|
30
|
+
- "AML.T0051.001 - Indirect"
|
|
31
31
|
- "AML.T0057 - LLM Data Leakage"
|
|
32
32
|
mitre_attack:
|
|
33
33
|
- "T1111 - Multi-Factor Authentication Interception"
|
|
@@ -30,7 +30,7 @@ references:
|
|
|
30
30
|
owasp_agentic:
|
|
31
31
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
32
32
|
mitre_atlas:
|
|
33
|
-
- "AML.T0024 - Exfiltration via
|
|
33
|
+
- "AML.T0024 - Exfiltration via AI Inference API"
|
|
34
34
|
- "AML.T0051 - LLM Prompt Injection"
|
|
35
35
|
external:
|
|
36
36
|
- "https://www.withsecure.com/en/expertise/research-and-articles/llm-prompt-injection"
|
|
@@ -26,7 +26,7 @@ references:
|
|
|
26
26
|
- "LLM07:2025 - System Prompt Leakage"
|
|
27
27
|
- "LLM02:2025 - Sensitive Information Disclosure"
|
|
28
28
|
mitre_atlas:
|
|
29
|
-
- "AML.T0024 - Exfiltration via
|
|
29
|
+
- "AML.T0024 - Exfiltration via AI Inference API"
|
|
30
30
|
owasp_agentic:
|
|
31
31
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
32
32
|
|
|
@@ -28,7 +28,7 @@ references:
|
|
|
28
28
|
- "LLM07:2025 - System Prompt Leakage"
|
|
29
29
|
- "LLM02:2025 - Sensitive Information Disclosure"
|
|
30
30
|
mitre_atlas:
|
|
31
|
-
- "AML.T0024 - Exfiltration via
|
|
31
|
+
- "AML.T0024 - Exfiltration via AI Inference API"
|
|
32
32
|
owasp_agentic:
|
|
33
33
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
34
34
|
|
|
@@ -29,7 +29,7 @@ references:
|
|
|
29
29
|
- "LLM07:2025 - System Prompt Leakage"
|
|
30
30
|
- "LLM02:2025 - Sensitive Information Disclosure"
|
|
31
31
|
mitre_atlas:
|
|
32
|
-
- "AML.T0024 - Exfiltration via
|
|
32
|
+
- "AML.T0024 - Exfiltration via AI Inference API"
|
|
33
33
|
owasp_agentic:
|
|
34
34
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
35
35
|
|
|
@@ -30,7 +30,7 @@ references:
|
|
|
30
30
|
- "LLM07:2025 - System Prompt Leakage"
|
|
31
31
|
- "LLM02:2025 - Sensitive Information Disclosure"
|
|
32
32
|
mitre_atlas:
|
|
33
|
-
- "AML.T0024 - Exfiltration via
|
|
33
|
+
- "AML.T0024 - Exfiltration via AI Inference API"
|
|
34
34
|
owasp_agentic:
|
|
35
35
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
36
36
|
|
|
@@ -42,8 +42,8 @@ references:
|
|
|
42
42
|
- "ASI03:2026 - Tool Misuse"
|
|
43
43
|
mitre_atlas:
|
|
44
44
|
- "AML.T0051 - LLM Prompt Injection"
|
|
45
|
-
- "AML.T0024 - Exfiltration via
|
|
46
|
-
- "AML.
|
|
45
|
+
- "AML.T0024 - Exfiltration via AI Inference API"
|
|
46
|
+
- "AML.T0069 - Discover LLM System Information"
|
|
47
47
|
|
|
48
48
|
compliance:
|
|
49
49
|
owasp_llm:
|
|
@@ -32,7 +32,7 @@ references:
|
|
|
32
32
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
33
33
|
- "ASI02:2026 - Unauthorized Actions"
|
|
34
34
|
mitre_atlas:
|
|
35
|
-
- "AML.
|
|
35
|
+
- "AML.T0025 - Exfiltration via Cyber Means"
|
|
36
36
|
- "AML.T0057 - LLM Data Leakage"
|
|
37
37
|
research:
|
|
38
38
|
- "Zhang et al., Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents (2024)"
|
package/rules/context-exfiltration/ATR-2026-01929-mcp-unauthenticated-transport-token-fallback.yaml
ADDED
|
@@ -0,0 +1,188 @@
|
|
|
1
|
+
title: Unauthenticated MCP transport accepts tool calls and falls back to an ambient credential (CVE-2026-48039 / meta-ads-mcp class)
|
|
2
|
+
id: ATR-2026-01929
|
|
3
|
+
rule_version: 1
|
|
4
|
+
status: experimental
|
|
5
|
+
description: >
|
|
6
|
+
Detects the unauthenticated-MCP-transport half of CVE-2026-48039 /
|
|
7
|
+
GHSA-9gw6-46qc-99vr (pipeboard-co/meta-ads-mcp, fixed in 1.0.109) and the
|
|
8
|
+
general class it represents: an MCP server, gateway, or Streamable-HTTP
|
|
9
|
+
endpoint forwards/dispatches a tool call WITHOUT authenticating it (returns no
|
|
10
|
+
401), and the handler then falls back to an ambient operator credential (an
|
|
11
|
+
environment variable such as META_ACCESS_TOKEN) to perform the action. Any
|
|
12
|
+
network-reachable caller can therefore invoke MCP tools as the operator. This
|
|
13
|
+
rule fires on skill/tool/advisory CONTENT describing that exploit, not on
|
|
14
|
+
server source. The credential-LEAK sink — the operator token echoed as a URL
|
|
15
|
+
query parameter — is already detected by ATR-2026-00580 (session/auth token in
|
|
16
|
+
URL query); this rule is deliberately disjoint from 00580 and covers the
|
|
17
|
+
AUTH-BYPASS + ambient-credential-fallback signal instead. The OX Security
|
|
18
|
+
MCP-by-design disclosure (2026-04-15) and the MCP move to OAuth 2.1 + RFC 8707
|
|
19
|
+
Resource Indicators anchor this unauthenticated-transport class. meta-ads-mcp
|
|
20
|
+
is Business Source License 1.1 (source-available); tool/exploit details are
|
|
21
|
+
taken from the public advisory/PoC, not from inspecting source.
|
|
22
|
+
author: "ATR Community"
|
|
23
|
+
date: 2026/06/14
|
|
24
|
+
schema_version: '0.1'
|
|
25
|
+
detection_tier: pattern
|
|
26
|
+
maturity: experimental
|
|
27
|
+
severity: high
|
|
28
|
+
references:
|
|
29
|
+
owasp_llm:
|
|
30
|
+
- "LLM02:2025 - Sensitive Information Disclosure"
|
|
31
|
+
- "LLM06:2025 - Excessive Agency"
|
|
32
|
+
owasp_agentic:
|
|
33
|
+
- "ASI03:2026 - Identity and Privilege Abuse"
|
|
34
|
+
- "ASI07:2026 - Data and Model Exfiltration"
|
|
35
|
+
mitre_atlas:
|
|
36
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
37
|
+
cve:
|
|
38
|
+
- "CVE-2026-48039"
|
|
39
|
+
cwe:
|
|
40
|
+
- "CWE-287"
|
|
41
|
+
- "CWE-522"
|
|
42
|
+
ghsa:
|
|
43
|
+
- "GHSA-9gw6-46qc-99vr"
|
|
44
|
+
external:
|
|
45
|
+
- https://github.com/advisories/GHSA-9gw6-46qc-99vr
|
|
46
|
+
- https://github.com/pipeboard-co/meta-ads-mcp/releases/tag/1.0.109
|
|
47
|
+
metadata_provenance:
|
|
48
|
+
cve: ghsa-sync
|
|
49
|
+
cwe: ghsa-sync
|
|
50
|
+
ghsa: ghsa-sync
|
|
51
|
+
mitre_atlas: human-reviewed
|
|
52
|
+
owasp_llm: human-reviewed
|
|
53
|
+
owasp_agentic: human-reviewed
|
|
54
|
+
compliance:
|
|
55
|
+
owasp_agentic:
|
|
56
|
+
- id: ASI03:2026
|
|
57
|
+
context: "OWASP Agentic ASI03:2026 (Identity and Privilege Abuse) is exercised when an MCP transport invokes tools without authenticating the caller and acts under an ambient operator credential; this rule provides runtime detection of that auth-bypass."
|
|
58
|
+
strength: primary
|
|
59
|
+
- id: ASI07:2026
|
|
60
|
+
context: "OWASP Agentic ASI07:2026 (Data and Model Exfiltration) is exercised when the unauthenticated call causes the operator credential to be used and exposed; this rule detects the exploit description."
|
|
61
|
+
strength: secondary
|
|
62
|
+
owasp_llm:
|
|
63
|
+
- id: LLM02:2025
|
|
64
|
+
context: "OWASP LLM LLM02:2025 (Sensitive Information Disclosure) is exercised by exposure of the operator credential via the unauthenticated MCP transport; this rule is a detection implementation for that category."
|
|
65
|
+
strength: primary
|
|
66
|
+
- id: LLM06:2025
|
|
67
|
+
context: "OWASP LLM LLM06:2025 (Excessive Agency) is exercised when any network-reachable caller can drive tool actions through the unauthenticated transport; this rule detects that condition."
|
|
68
|
+
strength: secondary
|
|
69
|
+
eu_ai_act:
|
|
70
|
+
- article: "15"
|
|
71
|
+
context: "EU AI Act Article 15 (accuracy, robustness and cybersecurity) requires that tool-invocation interfaces authenticate inbound requests and not rely on ambient credentials reachable without auth; this rule provides runtime detection evidence for that obligation."
|
|
72
|
+
strength: primary
|
|
73
|
+
- article: "10"
|
|
74
|
+
context: "EU AI Act Article 10 (data and data governance) requires controls against credentials being used and exposed via an unauthenticated transport; this rule provides detection evidence."
|
|
75
|
+
strength: secondary
|
|
76
|
+
nist_ai_rmf:
|
|
77
|
+
- function: Govern
|
|
78
|
+
subcategory: GV.6.1
|
|
79
|
+
context: "NIST AI RMF GV.6.1 (policies and procedures for access control on action-taking AI interfaces) is supported by this rule's detection of an MCP transport that invokes tools without authentication."
|
|
80
|
+
strength: primary
|
|
81
|
+
- function: Measure
|
|
82
|
+
subcategory: MS.2.7
|
|
83
|
+
context: "NIST AI RMF MS.2.7 (security and resilience evaluated and documented) is supported by this rule's detection of the unauthenticated-transport credential-fallback class."
|
|
84
|
+
strength: secondary
|
|
85
|
+
iso_42001:
|
|
86
|
+
- clause: "8.4"
|
|
87
|
+
context: "ISO/IEC 42001 Clause 8.4 (AI system impact assessment) is operationalised by this rule's detection of an unauthenticated MCP transport that acts under an ambient operator credential."
|
|
88
|
+
strength: primary
|
|
89
|
+
- clause: "9.1"
|
|
90
|
+
context: "ISO/IEC 42001 Clause 9.1 (monitoring, measurement, analysis and evaluation) is operationalised by this rule's detection of the auth-bypass exploitation class."
|
|
91
|
+
strength: secondary
|
|
92
|
+
tags:
|
|
93
|
+
category: context-exfiltration
|
|
94
|
+
subcategory: unauthenticated-mcp-transport-credential-fallback
|
|
95
|
+
scan_target: runtime
|
|
96
|
+
confidence: high
|
|
97
|
+
agent_source:
|
|
98
|
+
type: mcp_exchange
|
|
99
|
+
framework:
|
|
100
|
+
- any
|
|
101
|
+
provider:
|
|
102
|
+
- any
|
|
103
|
+
detection:
|
|
104
|
+
condition: any
|
|
105
|
+
false_positives:
|
|
106
|
+
- meta-ads-mcp or MCP documentation describing the /mcp Streamable-HTTP endpoint or the META_ACCESS_TOKEN env var with no unauthenticated-exploit language
|
|
107
|
+
- Advisory or remediation prose referencing CVE-2026-48039 / the GHSA without exploit framing (e.g. "upgrade to 1.0.109; the fix returns 401")
|
|
108
|
+
- Authenticated tool-call examples carrying an Authorization or X-PIPEBOARD-API-TOKEN header
|
|
109
|
+
- Best-practice prose recommending that MCP transports authenticate requests, with no described exploit
|
|
110
|
+
conditions:
|
|
111
|
+
- field: content
|
|
112
|
+
operator: regex
|
|
113
|
+
value: meta[-_ ]?ads[-_ ]?mcp[\s\S]{0,160}?(?:unauthenticat|without\s+(?:any\s+)?auth|no[-_ ]?auth\b|missing\s+auth|no\s+401)[\s\S]{0,200}?(?:META_ACCESS_TOKEN|access[_ ]?token|operator\s+token|credential|leak|exfil)
|
|
114
|
+
description: Skill/tool/advisory content describing meta-ads-mcp accepting an unauthenticated request (no 401) and exposing the operator META_ACCESS_TOKEN — the CVE-2026-48039 exploit.
|
|
115
|
+
- field: content
|
|
116
|
+
operator: regex
|
|
117
|
+
value: (?:cve-?2026-?48039|GHSA-9gw6-46qc-99vr)[\s\S]{0,200}?(?:exploit|payload|\bpoc\b|leak|exfil|bypass|unauthenticat)
|
|
118
|
+
description: Explicit CVE-2026-48039 / GHSA reference combined with exploit framing (not a bare advisory mention).
|
|
119
|
+
- field: content
|
|
120
|
+
operator: regex
|
|
121
|
+
value: (?:streamable[- ]?http|/mcp\b|mcp\s+(?:server|transport|endpoint|handler|gateway))[\s\S]{0,160}?(?:forward|dispatch|accept|invoke|reach)[\s\S]{0,120}?(?:unauthenticat|without\s+(?:any\s+)?auth|no\s+401|no\s+authentication)[\s\S]{0,200}?(?:falls?\s*back|fall[-\s]?back|fallback|env(?:ironment)?\s+var|ambient|META_ACCESS_TOKEN)[\s\S]{0,80}?(?:token|credential|secret|api[_ ]?key)
|
|
122
|
+
description: Generalised unauthenticated MCP transport — a server/gateway/Streamable-HTTP handler that forwards or accepts a tool call without authentication and falls back to an ambient environment credential.
|
|
123
|
+
response:
|
|
124
|
+
actions:
|
|
125
|
+
- alert
|
|
126
|
+
- block_tool
|
|
127
|
+
message_template: >
|
|
128
|
+
[ATR-2026-01929] An MCP transport is accepting tool calls without
|
|
129
|
+
authentication and acting under an ambient operator credential
|
|
130
|
+
(CVE-2026-48039 / meta-ads-mcp class). Any network-reachable caller can
|
|
131
|
+
invoke tools as the operator. Remediation: require authentication on every
|
|
132
|
+
MCP transport request (return 401 when absent); do not fall back to an
|
|
133
|
+
ambient env credential such as META_ACCESS_TOKEN; upgrade meta-ads-mcp to
|
|
134
|
+
>= 1.0.109; rotate any exposed operator token. The credential-leak sink
|
|
135
|
+
(token in a URL query) is covered separately by ATR-2026-00580.
|
|
136
|
+
notify:
|
|
137
|
+
- security_team
|
|
138
|
+
confidence: 80
|
|
139
|
+
wild_fp_rate: 0
|
|
140
|
+
test_cases:
|
|
141
|
+
true_positives:
|
|
142
|
+
- input: 'meta-ads-mcp before 1.0.109 forwards unauthenticated /mcp requests with no 401 and returns the META_ACCESS_TOKEN access token in the error request_url, leaking the operator credential.'
|
|
143
|
+
expected: triggered
|
|
144
|
+
description: meta-ads-mcp exploit description — unauthenticated invocation plus operator-token exposure (condition 1).
|
|
145
|
+
- input: 'PoC for CVE-2026-48039 / GHSA-9gw6-46qc-99vr: send POST /mcp with no auth header to exfil the operator token via the request_url leak.'
|
|
146
|
+
expected: triggered
|
|
147
|
+
description: Explicit CVE/GHSA reference with exploit framing (condition 2).
|
|
148
|
+
- input: "The MCP server's Streamable-HTTP handler forwards requests without any auth (no 401), then falls back to the META_ACCESS_TOKEN env var to call the API, leaking the operator credential."
|
|
149
|
+
expected: triggered
|
|
150
|
+
description: Generalised class — unauthenticated Streamable-HTTP transport with ambient-credential fallback (condition 3).
|
|
151
|
+
- input: 'GHSA-9gw6-46qc-99vr: unauthenticated tools/call bypass in meta-ads-mcp lets any caller invoke get_ad_accounts and exfil the operator access_token.'
|
|
152
|
+
expected: triggered
|
|
153
|
+
description: GHSA reference with exploit framing plus meta-ads-mcp unauth invocation.
|
|
154
|
+
true_negatives:
|
|
155
|
+
- input: 'Upgrade meta-ads-mcp to 1.0.109 to patch CVE-2026-48039; the fix returns 401 and redacts tokens from error URLs.'
|
|
156
|
+
expected: not_triggered
|
|
157
|
+
description: Advisory/remediation text referencing the CVE without exploit framing — "returns 401" is the patched behaviour, not "no 401".
|
|
158
|
+
- input: 'meta-ads-mcp documentation: configure META_ACCESS_TOKEN and connect to the /mcp Streamable-HTTP endpoint to query your ad accounts.'
|
|
159
|
+
expected: not_triggered
|
|
160
|
+
description: Benign meta-ads-mcp documentation — no unauthenticated-exploit language.
|
|
161
|
+
- input: 'Send tool calls to the /mcp endpoint with an Authorization: Bearer header; the server returns 401 without it.'
|
|
162
|
+
expected: not_triggered
|
|
163
|
+
description: Documentation of correct authenticated behaviour (server returns 401 when auth absent).
|
|
164
|
+
- input: 'Best practice: every MCP transport should authenticate inbound requests and never fall back to an ambient environment credential.'
|
|
165
|
+
expected: not_triggered
|
|
166
|
+
description: Best-practice prose recommending authentication — no described exploit.
|
|
167
|
+
- input: 'CVE-2026-48039 was assigned to meta-ads-mcp and fixed in release 1.0.109.'
|
|
168
|
+
expected: not_triggered
|
|
169
|
+
description: Bare advisory mention of the CVE with no exploit framing.
|
|
170
|
+
- input: 'The /mcp endpoint accepts JSON-RPC tool calls and forwards them to registered handlers after validating the Authorization header.'
|
|
171
|
+
expected: not_triggered
|
|
172
|
+
description: Normal MCP transport description with auth validation — no unauthenticated/no-401 + ambient-fallback chain.
|
|
173
|
+
_llm_authored:
|
|
174
|
+
model: claude (research workflow + main-agent hardening)
|
|
175
|
+
generalization_note: >
|
|
176
|
+
Authored from the CVE-2026-48039 advisory via the /research outbound-prep
|
|
177
|
+
workflow, then re-scoped by the main agent to the AUTH-BYPASS +
|
|
178
|
+
ambient-credential-fallback signal so it is disjoint from ATR-2026-00580
|
|
179
|
+
(which already covers the token-in-URL leak sink). Three content conditions:
|
|
180
|
+
(1) meta-ads-mcp + unauthenticated/no-401 + credential, (2) explicit
|
|
181
|
+
CVE/GHSA + exploit framing, (3) the generalised class — an MCP/Streamable-HTTP
|
|
182
|
+
transport that forwards/accepts a call without auth and falls back to an
|
|
183
|
+
ambient env credential. Spans are bounded lazy ({0,160}/{0,200}/{0,120}/{0,80})
|
|
184
|
+
to stay linear and avoid catastrophic backtracking; no inline case flags are
|
|
185
|
+
relied on (the engine applies case-insensitivity globally). True negatives
|
|
186
|
+
cover the patched "returns 401" remediation text, benign meta-ads-mcp docs,
|
|
187
|
+
correct authenticated behaviour, best-practice prose, and a bare CVE mention.
|
|
188
|
+
note: Generation-time authoring; verified by deterministic gate. Runtime detection is pure regex. Human review required before merge; 0-FP gate must pass.
|
|
@@ -23,8 +23,8 @@ references:
|
|
|
23
23
|
owasp_agentic:
|
|
24
24
|
- ASI05:2026 - Unexpected Code Execution
|
|
25
25
|
mitre_atlas:
|
|
26
|
-
- AML.T0053 -
|
|
27
|
-
- AML.T0046 - Spamming
|
|
26
|
+
- AML.T0053 - AI Agent Tool Invocation
|
|
27
|
+
- AML.T0046 - Spamming AI System with Chaff Data
|
|
28
28
|
|
|
29
29
|
compliance:
|
|
30
30
|
owasp_agentic:
|