Skip to content

[FIX][PLUGINS]: Fix X-Vault-Token header leaking to MCP servers on misconfiguration#3033

Merged
crivetimihai merged 3 commits intoIBM:mainfrom
popagruia:Fix_x_vault_token_propagation
Feb 20, 2026
Merged

[FIX][PLUGINS]: Fix X-Vault-Token header leaking to MCP servers on misconfiguration#3033
crivetimihai merged 3 commits intoIBM:mainfrom
popagruia:Fix_x_vault_token_propagation

Conversation

@popagruia
Copy link
Copy Markdown
Contributor

@popagruia popagruia commented Feb 18, 2026

📝 Summary

Security fix for vault_plugin. When a MCP server is added with header passthrough for X-Vault-Tokens but system tag is none or missing the X-Vault-Tokens is send to server.

🏷️ Type of Change

  • [ x] Bug fix
  • Feature / Enhancement
  • Documentation
  • Refactor
  • Chore (deps, CI, tooling)
  • Other (describe below)

🧪 Verification

Check Command Status
Lint suite make lint
Unit tests make test
Coverage ≥ 80% make coverage

✅ Checklist

  • Code formatted (make black isort pre-commit)
  • [x ] Tests added/updated for changes
  • [NA ] Documentation updated (if applicable)
  • No secrets or credentials committed

@popagruia popagruia force-pushed the Fix_x_vault_token_propagation branch from 93aa232 to 7c6a992 Compare February 18, 2026 13:45
crivetimihai
crivetimihai previously approved these changes Feb 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@crivetimihai crivetimihai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good security fix. The X-Vault-Tokens header was leaking to the upstream MCP server in three cases:

  1. JSON parse error — returned ToolPreInvokeResult() without removing the header
  2. No token match — returned ToolPreInvokeResult() without removing the header
  3. Only removed on if modified — missed the case where processing happened but no auth header was added

Moving the del headers[vault_header_name] immediately after parsing (and also in the error path) ensures the header is always stripped regardless of downstream logic. Tests correctly verify removal in both error and no-match scenarios.

@crivetimihai
x-vault-tokens is not propagated even if the system is misscomfigured
e5783fc 
Signed-off-by: popagruia <adrian.popa@ro.ibm.com>
@crivetimihai crivetimihai added this to the Release 1.0.0-GA milestone Feb 20, 2026
@crivetimihai crivetimihai added the bug Something isn't working label Feb 20, 2026
@crivetimihai crivetimihai changed the title x-vault-tokens is not propagated even if the system is misscomfigured [FIX][PLUGINS]: Fix X-Vault-Token header leaking to MCP servers on misconfiguration Feb 20, 2026
@crivetimihai crivetimihai added the MUST P1: Non-negotiable, critical requirements without which the product is non-functional or unsafe label Feb 20, 2026
@crivetimihai
fix(vault): strip X-Vault-Tokens header when system tag is missing an…
23fc9a3 
…d validate parsed token type

- Strip vault header even when system cannot be determined from gateway metadata
- Validate that parsed vault tokens are a JSON object (dict), not array/string/etc.
- Remove misleading type annotation on orjson.loads result
- Update test to verify header stripping on missing system tag

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
test: add coverage for no-system-tag and non-dict vault tokens paths
0275a4d 
Add two new test cases:
- test_no_system_tag_no_vault_header_returns_empty: covers the branch
  where system key cannot be determined and no vault header is present
- test_non_dict_json_vault_tokens_stripped: covers the isinstance guard
  ensuring non-dict JSON (e.g. arrays) strips the vault header without
  injecting auth headers

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai force-pushed the Fix_x_vault_token_propagation branch from 7c6a992 to 0275a4d Compare February 20, 2026 16:00
@crivetimihai
Copy link
Copy Markdown
Member

crivetimihai commented Feb 20, 2026

Review Changes

Rebased onto main and made the following changes:

Triage

  • Title, labels (bug, MUST), and milestone (Release 1.0.0-GA) already correct — no changes needed.

Fixes

  • plugins/vault/vault_plugin.py: Added vault header stripping when system tag cannot be determined (the not system_key path now removes X-Vault-Tokens before returning). This closes the remaining leak vector where a misconfigured gateway with no system: tag would still forward the vault header.
  • plugins/vault/vault_plugin.py: Added isinstance(vault_tokens, dict) guard after JSON parsing — non-dict JSON (e.g. arrays, strings) now strips the vault header and returns without injecting auth headers.

Tests

  • tests/unit/mcpgateway/plugins/plugins/vault/test_vault_plugin.py:
    • Added test_no_system_tag_no_vault_header_returns_empty — covers the branch where system key cannot be determined and no vault header is present (should return empty result, not modified payload)
    • Added test_non_dict_json_vault_tokens_stripped — covers the isinstance guard ensuring non-dict JSON payloads (e.g. ["not", "a", "dict"]) strip the vault header without injecting auth
    • All 12 tests passing

Notes

  • Rebase onto main was clean (no conflicts)
  • Case-insensitive header matching for vault header lookup is a pre-existing consideration outside this PR's scope
  • All checks passing locally

@popagruia — please review the changes and let me know if anything looks off.

@crivetimihai crivetimihai merged commit 98dfb23 into IBM:main Feb 20, 2026
54 checks passed
vishu-bh pushed a commit that referenced this pull request Feb 24, 2026
@popagruia @crivetimihai
[FIX][PLUGINS]: Fix X-Vault-Token header leaking to MCP servers on mi…
2a5fdf9 
…sconfiguration (#3033)

* x-vault-tokens is not propagated even if the system is misscomfigured

Signed-off-by: popagruia <adrian.popa@ro.ibm.com>

* fix(vault): strip X-Vault-Tokens header when system tag is missing and validate parsed token type

- Strip vault header even when system cannot be determined from gateway metadata
- Validate that parsed vault tokens are a JSON object (dict), not array/string/etc.
- Remove misleading type annotation on orjson.loads result
- Update test to verify header stripping on missing system tag

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* test: add coverage for no-system-tag and non-dict vault tokens paths

Add two new test cases:
- test_no_system_tag_no_vault_header_returns_empty: covers the branch
  where system key cannot be determined and no vault header is present
- test_non_dict_json_vault_tokens_stripped: covers the isinstance guard
  ensuring non-dict JSON (e.g. arrays) strips the vault header without
  injecting auth headers

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: popagruia <adrian.popa@ro.ibm.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: popagruia <adrian.popa@ro.ibm.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crivetimihai crivetimihai crivetimihai left review comments

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan

@madhav165 madhav165 Awaiting requested review from madhav165

Assignees

No one assigned

Labels

bug Something isn't working MUST P1: Non-negotiable, critical requirements without which the product is non-functional or unsafe

Projects

None yet

Milestone

Release 1.0.0-RC2

Development

Successfully merging this pull request may close these issues.

2 participants

@popagruia @crivetimihai