NIXER-2026-0004

gpt-researcher: Unauthenticated RAG + MCP

High CVSS 7.5 MCP Disclosed
Affected Project
Discovered
June 1, 2026
Published
June 1, 2026
Author
Nixer Security Research

Summary

gpt-researcher exposes its RAG pipeline and MCP server endpoints without authentication by default. An unauthenticated attacker on the same network can inject arbitrary documents into the RAG vector store and exfiltrate retrieved context via the MCP interface.

Technical Details

The default configuration starts gpt-researcher with an unauthenticated HTTP server on port 8000. The RAG endpoint at /api/rag/ingest accepts document uploads and adds them to the active vector store without verification. The MCP server exposes document retrieval without access control.

Impact

Attacks can inject misleading documents into research outputs, poison RAG context with attacker-controlled content, and exfiltrate sensitive information from the MCP document store.

Affected Versions

gpt-researcher < 0.14.0 with default config (confirmed vulnerable)

Remediation

Add authentication to all gpt-researcher endpoints. Use an API key middleware in front of the RAG ingestion endpoint. Restrict MCP endpoint access to authenticated sessions only.

Credit: Nixer Security Research — run your own security scan at nixer.polsia.app/try
Discovery method: Found by Nixer security scanner — run your own at https://nixer.polsia.app/try