HIGH
agenticmail
CVE published 2026-06-12
CVE-2026-50287
CVE-2026-50287 is a HIGH severity vulnerability in AgenticMail. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCP_HTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can initialize a session and call tools directly. This issue has been patched in version 0.9.27.