CVE-2026-58446

MEDIUM 6.5

Presenton < 0.8.8-beta - Authentication Bypass of Session Auth via Unprotected MCP Endpoint

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication (AUTH_USERNAME/AUTH_PASSWORD), is reachable unauthenticated at /mcp because the nginx front-end does not apply the auth_request gate to that path and the MCP server auto-mints a valid internal session token for the configured user. A remote unauthenticated attacker can invoke MCP tools such as generate_presentation, performing authenticated application actions, consuming the operators configured LLM API keys, and creating presentations in the operators instance. The Electron desktop build is not affected (MCP disabled).

CWE	CWE-306
Vendor	presenton
Product	presenton
Published	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for presenton presenton

Be the first to know when new medium vulnerabilities affecting presenton presenton are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Affected Versions

presenton / presenton

0 < 0.8.8-beta

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/presenton/presenton/releases/tag/electron-v0.8.8-beta github.com: https://github.com/presenton/presenton/issues/678 github.com: https://github.com/presenton/presenton/pull/679 github.com: https://github.com/presenton/presenton/commit/a1103dcef3c761cc8bab44e2862c81a49969abd7 vulncheck.com: https://www.vulncheck.com/advisories/presenton-beta-authentication-bypass-of-session-auth-via-unprotected-mcp-endpoint

Credits

George Chen