—

GO-2026-5678

Obot has an authorization bypass in /mcp-connect/{id} that allows any authenticated user to use any registered MCP server in github.com/obot-platform/obot

Details

Obot has an authorization bypass in /mcp-connect/{id} that allows any authenticated user to use any registered MCP server in github.com/obot-platform/obot

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/obot-platform/obot

Introduced in: 0 Fixed in: 0.21.1

Fix go get github.com/obot-platform/obot@v0.21.1

References

https://github.com/obot-platform/obot/security/advisories/GHSA-vw82-7fv8-r6gp [ADVISORY]
https://github.com/obot-platform/obot/releases/tag/v0.21.1 [WEB]