Vulnerability  ·  2026-07-02

DeepTutor — MCP Tool Authorization Bypass Allows Low-Privilege Users to Invoke Any Configured MCP Tool

VulnerabilityHigh impactGlobalCVE-2026-58168
Published 2026-06-30 (CVSS 8.8 High), CVE-2026-58168 is a logic error in DeepTutor's multi-user MCP access control. The function that should return a deny result for absent permissions instead returns None, which propagates as allow-all. The DeepTutor project has 25,000+ GitHub stars. A proof-of-concept pull request (PR #579) was public at the time of disclosure.
MCP tools in AI tutoring platforms can include filesystem access, shell execution, and browser automation. A bypass allowing any low-privilege user — or prompt-injected content from an untrusted document — to invoke these tools results in arbitrary code execution and data exfiltration in the deployment environment. The prompt-injection vector is particularly dangerous in a tutoring context where student-supplied content is routinely ingested.
The allowed_mcp_tools() function in deeptutor/multi_user/tool_access.py returns None when the mcp_tools permission key is absent from a user's grant record. The caller interprets None as unrestricted access (allow-all) rather than deny. A low-privilege user or prompt-injected content can enumerate and invoke any configured MCP tool — including shell execution and filesystem access — without authorization.
HKUDS DeepTutor before 1.4.10
Upgrade to DeepTutor 1.4.10. Fix commit: https://github.com/HKUDS/DeepTutor/commit/90046374b3dcd4f8a866d2d64a64440bc08eb2ef
Sources
NVD CVE-2026-58168dbugs.ptsecurity.com — CVE-2026-58168 DetailGitHub fix commit
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →