Security

RBAC in a Bunny Costume: Invariant Labs’ MCP Claims Debunked

Leave a comment

I was asked to take a look at a purported MCP vulnerability and ended up spitting my bourbon all over my favorite keyboard. Such are a risks of reading a “critical vulnerability” that essentially evaporates when you follow basic security hygiene.

When I looked at what this actually requires, I mean how it’s not much of an attack at all, I knew their report was going to give me a hangover.

  • First, give your AI agent organization-wide GitHub access instead of scoping it to specific repos. Ok, that’s stupid, nobody should ever do that, but let’s go on for the giggles.
  • Second, have both public and private repos (sure, that’s the usual kind of stuff, but it’s a requirement)
  • Third your agent must be queried about public repo issues where an attacker already staged some malicious content
  • And finally, fourth, the coup de grace, you need to put on a blindfold and tie your hands behind your back because this “vulnerability” requires users to disable their security prompts or click through them all without reading, acting like a kamikaze. Hold on TIGHT because you’re about to blow yourself up

ZOMG who could ever defend themselves against THAT! Call the police. Fire the torpedoes. The sky is falling.

SIGH, and so it goes, a “fix” is literally just… using GitHub’s existing fine-grained personal access tokens (PATs) that have been available for years.

Pffft. Sorry, FUD party over.

Scope your token to only the repos the agent needs. Done and done. Attack surface eliminated.

Imagine spinning up news of a “critical vulnerability” in houses that leave all the doors unlocked, give strangers the keys anyway, and then post a sign that says “WELCOME – OPEN”. Someone might come in and see something!

The “vulnerability” is just… a configuration.

The fact that Invariant Labs claims “GitHub alone cannot resolve this vulnerability through server-side patches” is particularly damning to Invariant’s view of the world.

Of course they can’t because it’s not GitHub’s vulnerability! Users configuring their tools poorly may need a better configuration tool, but a vendor coming along to sell them a “solution” should call it a misconfiguration wizard not anything more.

Newsflash: you should not grant org-wide access to your data with auto-approve. Here’s a tool that costs nothing to make sure you don’t do that. Are we done yet?

Taking a configuration issue that’s solved by clicking different checkboxes when generating your GitHub token and turning it into a “critical vulnerability affecting 14k+ users” that requires proprietary monitoring tools doesn’t have the right balance and tone.

Let’s call this what it is, access grants are a critical requirement for safe AI, let alone trusted MCP. But that’s like saying least privilege and role-based access controls have a market now as if it hasn’t existed for decades. Old wine, new bottles.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.