A vulnerable-by-design MCP server for learning object-level authz (BOLA/IDOR) bugs

[WRG-11]

Pre-submission Checklist

• This post follows the MCP community guidelines

What would you like to share?

Most MCP security writing I see is about prompt injection and tool poisoning. There's a quieter class the usual test suites and scanners don't catch: object-level / cross-tenant authorization (BOLA/IDOR). When an MCP server is multi-tenant, every tool that resolves an object from a client-supplied id has to check the caller is actually allowed to touch that object. Miss the check on a single tool and you've got a cross-tenant read/write/delete, no matter how good the prompt-injection defenses are.

What I built: I couldn't find a focused, runnable place to practice spotting exactly that in an MCP context, so I made a small one. It's a multi-tenant note server with six MCP tools. Five are correctly authorized; exactly one is missing its object check, so a caller in one org can reach another org's data through it. The broken tool looks just like its siblings, it's just missing a single line.

How it works: the PoC is a real MCP client running a two-way gate. In the vuln build the cross-tenant delete succeeds while a correctly-scoped tool still denies (so it's one broken tool, not a globally missing check); in the fixed build that same call is blocked while the legitimate same-tenant call still works (so the fix doesn't over-block). npm install && npm run poc runs it locally over stdio, no network, all synthetic data. One env var (LAB_MODE) toggles vuln/fixed.

The challenge was making the bug subtle rather than a toy: the broken tool is line-for-line like its correctly-scoped siblings except for the missing object check, which is how it tends to slip in for real. It also ships a hunt-checklist for the pattern (client-supplied scope trusted as authz, membership check decoupled from object resolution, the single outlier tool, wildcard/sentinel short-circuits, role/token-type bypass, list→get asymmetry, and so on).

The pattern comes from finding this class in real multi-tenant apps, not just theory, so I'd value a gut-check from people who actually build MCP servers: does the broken tool look realistic, and is there anything you'd add to the checklist?

Relevant Links

• Repo: https://github.com/WRG-11/mcp-objauthz-lab