[BUG]: SSE and /mcp list paths ignore visibility filters

[mekedron]

🐞 Bug Summary

Public access tokens created in the “All Teams” namespace are able to access team-scoped and private MCP servers and tools, despite the UI explicitly stating that such tokens should be restricted to public-only resources.
This results in unintended privilege escalation and represents a high-priority security issue.

---

🧩 Affected Component

• mcpgateway - API
• mcpgateway - UI (admin panel)
• mcpgateway.wrapper - stdio wrapper
• Federation or Transports
• CLI, Makefiles, or shell scripts
• Container setup (Docker/Podman/Compose)
• Other (explain below)

---

🔁 Steps to Reproduce

1. In the admin UI, navigate to 🎫 API Tokens.
2. Select the “All Teams” namespace.
3. Create a new Public Access Token.
   • UI description states the token should have public-only access.
4. In 🖥️ MCP Servers, configure three MCP servers:
   • http://test-mcp-1.mcp.svc.cluster.local/mcp (public)
   • http://test-mcp-2.mcp.svc.cluster.local/mcp (team)
   • http://test-mcp-3.mcp.svc.cluster.local/mcp (private)
   • All servers use streamable HTTP mode.
5. Verify that all tools/resources are discovered correctly.
6. Open the Cloudflare MCP Playground: https://playground.ai.cloudflare.com/
7. Connect to the mcp-context-forge gateway using:
   • URL: https://mcp.example.com/sse
   • Header: Authorization: Bearer <public-token>
8. Observe the list of available tools and MCP servers.

---

🤔 Expected Behavior

The public access token should only expose tools and resources from:

• Public MCP servers (e.g. test-mcp-1)

The token must not be able to see or invoke:

• Team-scoped MCP servers
• Private MCP servers
• Any non-public tools, resources, or prompts

---

❗ Actual Behavior

• The public access token can:
  • See all tools from all MCP servers
  • Successfully invoke tools from:
    • test-mcp-2 (team)
    • test-mcp-3 (private)
• Access restrictions described in the UI are not enforced by the API.

This fully bypasses server visibility and access controls.

---

📓 Logs / Error Output

After manually deleting the token record from the database (since revoking the token via the admin UI leaves related DB records behind), the Cloudflare MCP Playground fails with an authorization error when attempting to reconnect.

---

🧠 Environment Info

Key	Value
Version or commit	arm64-54e7a86c0ba066ac2d1e6c6d3c2124abbcd8518d
Runtime	Python
Platform / OS	Linux (Kubernetes)
Container	Docker on Kubernetes

---

🧩 Additional Context

• Token revocation via the admin UI does not fully clean up token-related records in the database.
• Manual DB deletion is required to cleanup the DB after token invalidation.
• Given the scope of access bypass, this issue should be treated as high priority from a security standpoint.

[brian-hussey]

Looking at this one now.

[mekedron]

Hi @brian-hussey, thanks!
Please let me know if you need any info

[brian-hussey]

I've reproduced the issue, steps as above to number 5, then using curl:

curl -X 'GET' \
  'http://localhost:4444/tools?include_pagination=false&include_inactive=false' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer REDACTED' \
  -H 'Content-Type: application/json' >

Results in output containing all three MCP server visibility types:

[...]
    "visibility": "private",
[...]
    "visibility": "team",
[...]
    "visibility": "public",
[...]

Looking into where this issue is coming from now.

[brian-hussey]

Results from my investigation so far:

1. The admin UI incorrectly states this message in the "All Teams" context:

2. Tokens created from this context by an admin user will end up in the Platform Administrator's team which is granted ["*"] permissions with global scope in the database.
3. Setting up a separate (non admin) user, and creating the token for this user the visibility works as expected. Public tools available and team/private ones are not.

So for potential workaround immediately:
It's possible to create the specific token with specific permissions as per: https://github.com/IBM/mcp-context-forge/blob/main/docs/docs/manage/securing.md#permission-scoped-tokens

# Generate permission-scoped token
python3 -m mcpgateway.utils.create_jwt_token \
  --username user@example.com \
  --scopes '{"permissions": ["tools.read", "resources.read"]}'

To resolve this, I suggest we:

1. Remove the message above.
2. Change the UI to not rely on the overall gateway administration context for the actions in the tokens view except to filter the view.
3. Show all API Tokens (not just "Your API tokens" - which is incorrect too)
4. List of API tokens should show the token's:
   1. Name, user_email it is tied to, or the team it is in, and the permissions that the token has, expiration date,
5. In the "Create a new token" part of the UI" we should show the user that the token applies to and allow the administrator to set different users that the API token should be assigned to.

I think this makes the permissions and who owns the token and the permissions it has far more obvious to the user, and should remove the need for the context specific message about a Public Access token and context specific logic for a Public Access token.

@mekedron How does that sound to you, and could you check if the workaround suits you for the moment please?

@kevalmahajan @madhav165 @crivetimihai Any thoughts or concerns with this approach? Especially with the Beta-2 release coming up.