gpt-researcher: Unauthenticated RAG + MCP
Summary
gpt-researcher exposes its RAG pipeline and MCP server endpoints without authentication by default. An unauthenticated attacker on the same network can inject arbitrary documents into the RAG vector store and exfiltrate retrieved context via the MCP interface.
Technical Details
The default configuration starts gpt-researcher with an unauthenticated HTTP server on port 8000. The RAG endpoint at /api/rag/ingest accepts document uploads and adds them to the active vector store without verification. The MCP server exposes document retrieval without access control.
Impact
Attacks can inject misleading documents into research outputs, poison RAG context with attacker-controlled content, and exfiltrate sensitive information from the MCP document store.
Affected Versions
gpt-researcher < 0.14.0 with default config (confirmed vulnerable)
Remediation
Add authentication to all gpt-researcher endpoints. Use an API key middleware in front of the RAG ingestion endpoint. Restrict MCP endpoint access to authenticated sessions only.