—

GO-2026-5390

MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin "router-key" / "mcp-init-host" path in github.com/Kuadrant/mcp-gateway

Details

MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin "router-key" / "mcp-init-host" path in github.com/Kuadrant/mcp-gateway

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/Kuadrant/mcp-gateway

Introduced in: 0

No fixed version published yet for github.com/Kuadrant/mcp-gateway (go modules). Pin to a known-safe version or switch to an alternative.

References

https://github.com/Kuadrant/mcp-gateway/security/advisories/GHSA-g53w-w6mj-hrpp [ADVISORY]