Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Arcade MCP Default Hardcoded Worker Secret Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints
Vulnerability Description
Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints—including tool enumeration and tool invocation—without credentials. This vulnerability is fixed in 1.5.4.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vulnerability Type
使用硬编码的密码学密钥
Vulnerability Title
Arcade MCP Server Framework 信任管理问题漏洞
Vulnerability Description
Arcade MCP Server Framework是Arcade.dev开源的一个MCP服务器框架。 Arcade MCP Server Framework 1.5.4之前版本存在信任管理问题漏洞,该漏洞源于硬编码默认工作密钥,可能导致绕过身份验证层。
CVSS Information
N/A
Vulnerability Type
N/A