Technical description
AgenticMail's @agenticmail/mcp package (versions before 0.9.27) exposes a Streamable HTTP transport at the /mcp endpoint when started with --http or MCP_HTTP=1. This endpoint accepts all MCP requests without any HTTP authentication layer, allowing any remote client to read any email, send emails on behalf of any user, and access phone numbers associated with AgenticMail accounts — full account takeover without credentials.
Attack vector
Any remote client with network access to the /mcp HTTP endpoint can send unauthenticated MCP tool calls. This is an unauthenticated access-control failure in an MCP server that provides AI agents with real email address and phone number capabilities, making it a high-value target for reconnaissance, phishing infrastructure setup, and account takeover at scale.
Affected systems
@agenticmail/mcp package versions prior to 0.9.27. AgenticMail is a platform that assigns real email addresses and phone numbers to AI agents for production use.
Mitigation
Upgrade to @agenticmail/mcp version 0.9.27 or later. Until patched, do not expose the /mcp HTTP endpoint to any network segment accessible by untrusted parties. Prefer stdio transport mode instead of HTTP mode.