Two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.
The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host.
Fixed in 1.83.7. Both test endpoints now require the PROXY_ADMIN role, bringing them into line with the save endpoint.
If upgrading is not immediately possible, developers should block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at their reverse proxy or API gateway.
1.83.7Exploitability
AV:NAC:LAT:PPR:LUI:NVulnerable System
VC:HVI:HVA:HSubsequent System
SC:HSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N