MCP JWT Authentication Flaw in Apache Superset Enables Account Takeover via Claim Manipulation

A critical authentication bypass vulnerability has been identified in the Model Context Protocol (MCP) service implementation within Apache Superset, allowing federated attackers to authenticate as any user—including administrative accounts—by exploiting how JWT claims are resolved during login.

The flaw resides in `superset/mcp_service/mcp_config.py`, specifically within the `default_user_resolver` function. The authentication flow prioritizes mutable, end-user-controlled claims—`preferred_username`, `username`, and `email`—over the canonical, identity provider-controlled `sub` claim. When combined with a username-or-email lookup mechanism during authentication, this design permits an attacker with control over their IdP identity (such as in multi-tenant or self-service identity provider deployments) to authenticate as any Superset user by registering or modifying their identity attributes at the IdP to match the target username or email.

The vulnerability is scoped to deployments where `MCP_AUTH_ENABLED` is activated and the service federates authentication through an external IdP. In such environments, the default claim-resolution order creates a direct path to account takeover, including full compromise of administrative accounts. Attackers do not require prior knowledge of target credentials—only the ability to manipulate identity claims at the federated IdP level. The issue was classified as High severity, characterizing it as an authentication bypass with potential for complete account takeover.

Security teams running affected Superset deployments with federated MCP authentication should immediately review whether `MCP_AUTH_ENABLED` is in use, assess IdP trust models, and consider disabling the feature or implementing compensating controls until a patch is available. The reliance on mutable identity claims rather than stable, IdP-controlled identifiers represents a fundamental authentication logic weakness that could have broader implications across similar identity federation patterns.