CVE-2026-50287

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Jun 12, 2026

Vendor unknown

Description

AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCP_HTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can initialize a session and call tools directly. This issue has been patched in version 0.9.27.

References

https://github.com/agenticmail/agenticmail/security/advisories/GHSA-63gr-g7jc-v8rg