← Back to feed
New capability:
[HIGH] GHSA-7hgr-7h44-33w2: CamoFox MCP: Unauthenticated HTTP MCP browser-control surface
GitHub Security Advisory·Security·SecurityFix·5/19/2026
# Unauthenticated HTTP MCP browser-control surface in `camofox-mcp` ## Summary `camofox-mcp` exposed a Streamable HTTP MCP endpoint at `/mcp` with rate limiting but no inbound MCP-layer authentication. When HTTP mode was enabled, any client that could reach `/mcp` could list and invoke browser-con
Why it matters → New functionality is available in camofox-mcp. May enable simpler implementations or replace external dependencies.
Who should care → Teams already using camofox-mcp or evaluating it.
camofox-mcptypescript
View original source ↗Source payload preview
{
"ghsaId": "GHSA-7hgr-7h44-33w2",
"summary": "CamoFox MCP: Unauthenticated HTTP MCP browser-control surface",
"severity": "HIGH",
"updatedAt": "2026-05-19T20:13:37Z",
"references": [
{
"url": "https://github.com/redf0x1/camofox-mcp/security/advisories/GHSA-7hgr-7h44-33w2"
},
{
"url": "https://github.com/redf0x1/camofox-mcp/commit/599f56ee40f8062aeca541c251ed1d39fb437f50"
},
{
"url": "https://github.com/advisories/GHSA-7hgr-7h44-33w2"
}
],
"description": "# Unauthenticated HTTP MCP browser-control surface in `camofox-mcp`\n\n## Summary\n\n`camofox-mcp` exposed a Streamable HTTP MCP endpoint at `/mcp` with rate limiting but no inbound MCP-layer authentication. When HTTP mode was enabled, any client that could reach `/mcp` could list an
…