The knowledge_search and knowledge_get_node MCP tools are included in SCOPED_TOOLS (visible to scoped agents) but their handlers do not receive authContext and do not enforce workspace scoping. A scoped agent in Workspace A can supply an arbitrary workspaceId parameter to search or retrieve knowledge graph nodes from Workspace B, bypassing workspace isolation boundaries.
This is a cross-workspace data leakage vulnerability affecting any deployment where multiple workspaces contain sensitive knowledge graph data and scoped agents are used.
Affected code:
packages/mcp/src/tools/knowledge.ts:146-169 (knowledge_search handler)packages/mcp/src/tools/knowledge.ts:244-283 (knowledge_get_node handler)packages/mcp/src/tool-scoping.ts:11 (both tools listed in SCOPED_TOOLS)Contrast with correct implementation: knowledge_create_node (same file, lines 334-357) properly receives authContext and overrides the user-supplied workspaceId for scoped callers.
Cross-workspace knowledge sharing is a legitimate future feature — agents working across different repos may need to collaborate and share knowledge. However, this access should be opt-in with explicit grants, not an implicit bypass. The immediate fix locks scoped agents to their own workspace. A future design could introduce:
cross_workspace scope on scoped tokensworkspaceIds (plural) in the auth contextFix: Add authContext parameter to knowledge_search and knowledge_get_node handlers and enforce workspace scoping, matching the pattern in knowledge_create_node:
const resolvedWorkspaceId =
authContext?.type === "scoped"
? authContext.workspaceId ?? ""
: workspaceId ?? "";
When cross-workspace collaboration is designed, this check can be relaxed intentionally with proper access controls.
Do not use scoped agent...
0.70.2Exploitability
AV:NAC:LAT:NPR:LUI:NVulnerable System
VC:HVI:HVA:NSubsequent System
SC:LSI:LSA:N8.6/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N