Auth bypass in Cursortouch Windows-mcp

CVE-2026-48989

Windows-MCP is an open-source project that integrates AI agents with Windows. In versions prior to 0.7.5, certain HTTP modes exposed the MCP control plane without authentication while enabling wildcard CORS (allow_origins=*, allow_methods=…

Vulnerability class: Broken Authentication

Affected products

Cursortouch Windows-mcp — versions < 0.7.5

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)