Description
DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowed_mcp_tools function returning None instead of a denied result when mcp_tools is omitted from a user's grant in deeptutor/multi_user/tool_access.py. Attackers or prompt-injected content acting within a user session can enumerate and invoke any configured MCP tool, including filesystem, shell, and browser servers, gaining unauthorized access to sensitive deployment resources.
Problem types
Product status
Any version before 1.4.10
Credits
Chia Min Jun Lennon
References
github.com/HKUDS/DeepTutor/pull/579
github.com/HKUDS/DeepTutor/releases/tag/v1.4.10 (Release Notes)
github.com/HKUDS/DeepTutor/pull/579 (Fix PR)
github.com/...ommit/90046374b3dcd4f8a866d2d64a64440bc08eb2ef (Fix Commit)
www.vulncheck.com/...cted-mcp-tool-access-to-non-admin-users