AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-647h-p824-99w7: @grackle-ai/mcp has a workspace authorization bypass in its knowledge_search MCP tool

highvulnerability

security

Source: GitHub Advisory DatabaseMarch 25, 2026

Summary

The @grackle-ai/mcp library has a workspace authorization bypass vulnerability in its knowledge_search and knowledge_get_node tools. These tools are marked as available to scoped agents (agents with limited permissions tied to a specific workspace), but they don't properly check which workspace a user belongs to, allowing a scoped agent in Workspace A to access sensitive data from Workspace B by specifying an arbitrary workspaceId parameter.

Solution / Mitigation

Add `authContext` parameter to `knowledge_search` and `knowledge_get_node` handlers and enforce workspace scoping by using this code pattern: ```typescript const resolvedWorkspaceId = authContext?.type === "scoped" ? authContext.workspaceId ?? "" : workspaceId ?? ""; ``` This ensures scoped agents can only access their own workspace. As a temporary workaround, remove `knowledge_search` and `knowledge_get_node` from the `SCOPED_TOOLS` set in `tool-scoping.ts` or do not use scoped agent tokens in multi-workspace deployments until the fix is applied.

Classification

Attack Type

Data Extraction

Attack SophisticationTrivial

Impact (CIA+S)

confidentialityintegrity

Affected Vendors

LangChain

Affected Packages

@grackle-ai/mcp@<= 0.70.1 (fixed: 0.70.2)

Related Issues

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendorNVD/CVE Database

critical

CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive

First tracked: March 25, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 92%