Orcorus
Orcorus Orchestration Marketplace
Sign in
Vectra AI RUX MCP Server
VE
Docker Hub MCP

Vectra AI RUX MCP Server

by github.com/vectra-ai-research · Ai-Ml

0.0 · 0 reviews
0 installs · 25 tools

Vectra AI MCP Server - An MCP server that connects AI assistants & agents to the Vectra AI security platform, enabling intelligent threat analysis and automated incident response.

Vectra AI MCP Server

This project implements an MCP server for the Vectra AI Platform.

What is Vectra AI MCP?

An MCP server that connects AI assistants to your Vectra AI security platform, enabling intelligent analysis of threat detection data, security insights, and automated incident response workflows. Compatible with Claude, ChatGPT, Cursor, VS Code and other MCP-enabled AI tools.

mcp-diagram

What can you do with Vectra AI MCP?

  • Investigate threats in natural language
  • Take response actions in Vectra directly from your AI agent
  • Correlate and analyze security data using prompts
  • Dynamically build advanced visulizations for analysis
  • Generate investigation reports from natural language

Setup - Host Locally

Prerequisites

  1. Install Python Check .python-version file for the required version

  2. Install uv - Python package manager

# On macOS/Linux
curl -LsSf https://astral.sh/uv/install.sh | sh

# On Windows
powershell -c "irm https://astral.sh/uv/install.ps1 | iex"

# Or via pip
pip install uv

Setup Steps

  1. Clone/Download the project to your local machine
  2. Navigate to the project directory:
cd your-project-directory
  1. Configure environment variables:
# Copy the example environment file
cp .env.example .env

Then edit the .env file with your actual Vectra AI Platform credentials. Required variables to update:

  • VECTRA_BASE_URL: Your Vectra portal URL
  • VECTRA_CLIENT_ID: Your client ID from Vectra

  • VECTRA_CLIENT_SECRET: Your client secret from Vectra

  • Create and activate a virtual environment:

uv venv

# Activate it:
# On macOS/Linux:
source .venv/bin/activate

# On Windows:
.venv\Scripts\activate
  1. Install dependencies:
uv sync

This will install all dependencies specified in pyproject.toml using the exact versions from uv.lock.

  1. Run the application:

The server supports multiple transport protocols:

# Run with stdio transport (default, for Claude Desktop)
python server.py
python server.py --transport stdio

# Run with SSE transport (for HTTP-based MCP clients)
python server.py --transport sse --host 0.0.0.0 --port 8000

# Run with streamable-http transport (for production HTTP deployments)
python server.py --transport streamable-http --host 0.0.0.0 --port 8000

# Enable debug logging
python server.py --debug

Transport Options: - stdio: Standard input/output communication (default, used by Claude Desktop) - sse: Server-Sent Events over HTTP (good for web-based clients) - streamable-http: Streamable HTTP transport (recommended for production HTTP deployments)

Environment Variables: You can also configure the server using environment variables:

export VECTRA_MCP_TRANSPORT=streamable-http
export VECTRA_MCP_HOST=0.0.0.0
export VECTRA_MCP_PORT=8000
export VECTRA_MCP_DEBUG=true
python server.py

MCP Configuration for Claude Desktop

  1. Add MCP Server to Claude Desktop:
# On macOS:
# Open Claude Desktop configuration file
code ~/Library/Application\ Support/Claude/claude_desktop_config.json

# On Windows:
# Open Claude Desktop configuration file
notepad %APPDATA%/Claude/claude_desktop_config.json

Add the following configuration to the mcpServers section (update the paths to match your setup):

{
  "mcpServers": {
    "vectra-ai-mcp": {
      "command": "/path/to/your/uv/binary",
      "args": [
        "--directory",
        "/path/to/your/project/directory",
        "run",
        "server.py"
      ]
    }
  }
}

Example with actual paths:

{
  "mcpServers": {
    "vectra-ai-mcp": {
      "command": "/Users/yourusername/.local/bin/uv",
      "args": [
        "--directory",
        "/Users/yourusername/path/to/vectra-mcp-project",
        "run",
        "server.py"
      ]
    }
  }
}
  1. Debug - Find your uv installation path:
# Find where uv is installed
which uv
# or
where uv
  1. Debug - Get your project's absolute path:
# From your project directory, run:
pwd
  1. Restart Claude Desktop to load the new MCP server configuration.

Other MCP Client Setup

Once configured, you should be able to use Vectra AI Platform capabilities directly within Claude Desktop or other MCP clients through this MCP server!

For other MCP clients besides Claude Desktop, refer to the documentation links below:

MCP Client Documentation Link
General MCP Setup https://modelcontextprotocol.io/quickstart/user
Cursor https://docs.cursor.com/en/context/mcp#using-mcp-json
VS Code https://code.visualstudio.com/docs/copilot/chat/mcp-servers#_add-an-mcp-server

For other MCP clients, refer to their respective documentation. The general pattern is similar - you'll need to specify the command and arguments to run the MCP server with the same configuration structure.

Setup - Docker Deployment

For production deployments or easier setup, you can run the Vectra AI MCP Server using Docker. We provide two options:

Option 1: Using Pre-built Images (Recommended)

The easiest way to get started is using our pre-built Docker images from GitHub Container Registry.

Prerequisites

Quick Start Steps

  1. Configure environment variables:
# Copy the example environment file
cp .env.example .env

Then edit the .env file with your actual Vectra AI Platform credentials.

  1. Run with pre-built image:

Streamable HTTP Transport (Recommended for Production)

docker run -d \
  --name vectra-mcp-server-http \
  --env-file .env \
  -e VECTRA_MCP_TRANSPORT=streamable-http \
  -e VECTRA_MCP_HOST=0.0.0.0 \
  -e VECTRA_MCP_PORT=8000 \
  -p 8000:8000 \
  --restart unless-stopped \
  ghcr.io/vectra-ai-research/vectra-ai-mcp-server:latest

SSE Transport (Server-Sent Events)

docker run -d \
  --name vectra-mcp-server-sse \
  --env-file .env \
  -e VECTRA_MCP_TRANSPORT=sse \
  -e VECTRA_MCP_HOST=0.0.0.0 \
  -e VECTRA_MCP_PORT=8000 \
  -p 8000:8000 \
  --restart unless-stopped \
  ghcr.io/vectra-ai-research/vectra-ai-mcp-server:latest

Stdio Transport (For Local MCP Clients)

docker run -d \
  --name vectra-mcp-server-stdio \
  --env-file .env \
  -e VECTRA_MCP_TRANSPORT=stdio \
  --restart unless-stopped \
  ghcr.io/vectra-ai-research/vectra-ai-mcp-server:latest
  1. Or use Docker Compose (Alternative):

Create a docker-compose.yml file:

version: '3.8'
services:
  vectra-mcp-server:
    image: ghcr.io/vectra-ai-research/vectra-ai-mcp-server:latest
    container_name: vectra-mcp-server
    env_file: .env
    environment:
      - VECTRA_MCP_TRANSPORT=streamable-http
      - VECTRA_MCP_HOST=0.0.0.0
      - VECTRA_MCP_PORT=8000
    ports:
      - "8000:8000"
    restart: unless-stopped

Then run:

docker-compose up -d

Available Tags: - latest: Latest stable build from main branch - main: Latest build from main branch (same as latest)
- v*: Specific version tags (e.g., v1.0.0)

💡 Tip: Pre-built images are automatically built and published via GitHub Actions whenever code is pushed to the main branch or when releases are tagged. This ensures you always get the latest tested version without needing to build locally.

Option 2: Build from Source

For development or customization, you can build the Docker image from source.

Prerequisites

  1. Install Docker and Docker Compose
  2. Docker Desktop (includes Docker Compose)
  3. Or install Docker Engine and Docker Compose separately on Linux

Build from Source Steps

  1. Clone/Download the project to your local machine
  2. Navigate to the project directory:
cd your-project-directory
  1. Configure environment variables:
# Copy the example environment file
cp .env.example .env

Then edit the .env file with your actual Vectra AI Platform credentials.

  1. Build and run with Docker:
# Build the image
docker build -t vectra-mcp-server .
  1. Run the locally built image:

Choose your transport mode and run with the locally built image:

Streamable HTTP Transport

docker run -d \
  --name vectra-mcp-server-http \
  --env-file .env \
  -e VECTRA_MCP_TRANSPORT=streamable-http \
  -e VECTRA_MCP_HOST=0.0.0.0 \
  -e VECTRA_MCP_PORT=8000 \
  -p 8000:8000 \
  --restart unless-stopped \
  vectra-mcp-server

SSE Transport

docker run -d \
  --name vectra-mcp-server-sse \
  --env-file .env \
  -e VECTRA_MCP_TRANSPORT=sse \
  -e VECTRA_MCP_HOST=0.0.0.0 \
  -e VECTRA_MCP_PORT=8000 \
  -p 8000:8000 \
  --restart unless-stopped \
  vectra-mcp-server

Stdio Transport

docker run -d \
  --name vectra-mcp-server-stdio \
  --env-file .env \
  -e VECTRA_MCP_TRANSPORT=stdio \
  --restart unless-stopped \
  vectra-mcp-server

Docker Environment Variables

The Docker container supports all the same environment variables as the local setup, plus additional MCP server configuration:

MCP Server Configuration

  • VECTRA_MCP_TRANSPORT: Transport protocol (stdio, sse, or streamable-http) - default: stdio
  • VECTRA_MCP_HOST: Host to bind to for HTTP transports - default: 0.0.0.0
  • VECTRA_MCP_PORT: Port for HTTP transports - default: 8000
  • VECTRA_MCP_DEBUG: Enable debug logging - default: false

Accessing the HTTP Server

When running with HTTP transports (sse or streamable-http), the MCP server will be available at: - Streamable HTTP: http://localhost:8000/mcp - SSE: http://localhost:8000/sse

MCP Client Configuration for Docker

For HTTP-based MCP clients connecting to the Dockerized server, use the appropriate endpoint:

{
  "mcpServers": {
    "vectra-ai-mcp": {
      "transport": {
        "type": "http",
        "url": "http://localhost:8000/"
      }
    }
  }
}

Docker Health Checks

The Docker container includes health checks that will verify the server is running properly: - For stdio transport: Always reports healthy (no HTTP endpoint to check) - For HTTP transports: Checks HTTP endpoint availability

Note: MCP (Model Context Protocol) is an emerging and rapidly evolving technology. Exercise caution when using this server and follow security best practices, including proper credential management and network security measures.

get_detection_details Get complete detailed information for a particular detection

Parameters

detection_id ID of the detection to retrieve details for (minimum: 1)
list_detections_with_details List detections with filtering and sorting options with detailed information

Parameters

ordering Order by last_timestamp, created_datetime, or id. Defaults to ordering by last_timestamp
detection_category Filter by detection category (command, botnet, lateral, reconnaissance, exfiltration, info)
detection_name Filter by detection name (supports partial word match)
state Filter by detection state (active, inactive, fixed, filteredbyai, filteredbyrule)
src_ip Filter by source IP address of the host that generated the detection
start_date Filter by start date (YYYY-MM-DDTHH:MM:SS)
end_date Filter by end date (YYYY-MM-DDTHH:MM:SS)
is_targeting_key_asset Filter for detections targeting a key asset
limit Maximum number of detections to return (1-1000, default: 1000)
get_detection_count Get the total count of detections matching the specified criteria

Parameters

start_date Filter by start date (YYYY-MM-DDTHH:MM:SS)
end_date Filter by end date (YYYY-MM-DDTHH:MM:SS)
detection_category Filter by detection category
state Filter by detection state (active, inactive, fixed, filteredbyai, filteredbyrule)
detection_name Filter by detection name (supports partial word match)
src_ip Filter by source IP address of the host that generated the detection
is_targeting_key_asset Filter for detections targeting a key asset
get_detection_pcap Get pcap file for a specific detection

Parameters

detection_id ID of the detection to retrieve pcap for (minimum: 1)
list_entity_detections List all detections with full details for a specific entity

Parameters

entity_id ID of the entity to list detections for (minimum: 1)
state Filter by detection state (active, inactive, fixed, filteredbyai, filteredbyrule)
list_detections_with_basic_info List detections with basic information and filtering options

Parameters

state Filter by detection state (active, inactive, fixed, filteredbyai, filteredbyrule)
ordering Order by last_timestamp, created_datetime, or id
detection_category Filter by detection category (command, botnet, lateral, reconnaissance, exfiltration, info)
detection_name Filter by detection name (supports partial word match)
src_ip Filter by source IP address of the host that generated the detection
start_date Filter by start date (YYYY-MM-DDTHH:MM:SS)
end_date Filter by end date (YYYY-MM-DDTHH:MM:SS)
is_targeting_key_asset Filter for detections targeting a key asset
limit Maximum number of detections to return (1-1000)
get_detection_summary Get a concise summary of a detection including ID, name, category, timestamp, and status

Parameters

detection_id ID of the detection to retrieve summary for (minimum: 1)
list_detection_ids List detection IDs with filtering and sorting options

Parameters

ordering Order by last_timestamp, created_datetime, or id
state Filter by detection state (active, inactive, fixed, filteredbyai, filteredbyrule)
detection_category Filter by detection category (command, botnet, lateral, reconnaissance, exfiltration, info)
detection_name Filter by detection name (supports partial word match)
src_ip Filter by source IP address of the host that generated the detection
start_date Filter by start date (YYYY-MM-DDTHH:MM:SS)
end_date Filter by end date (YYYY-MM-DDTHH:MM:SS)
is_targeting_key_asset Filter for detections targeting a key asset
limit Maximum number of detections to return (1-1000, default: 1000)
list_entities List entities (hosts & accounts) in Vectra platform based on various filters

Parameters

entity_type Select type of entity to retrieve (account or host)
state Filter by entity state (active, inactive)
ordering Order by urgency_score, last_detection_timestamp, last_modified_timestamp, or name (prefix with - for descending)
name Filter by entity name (supports partial word match)
host_ip Filter by entity IP address (only applicable for host entities)
is_prioritized Filter for prioritized entities or non-prioritized entities
tags Filter for entities with a particular tag
limit Maximum number of entities to return (1-1000, default: 1000)
get_account_details Get complete detailed information about a specific account entity

Parameters

account_id ID of the account in Vectra platform to retrieve details for (minimum: 1)
fields Fields to return in the results (optional)
exclude_fields Fields to exclude in the response object (optional)
include_access_history Include account access history in the response
include_detection_summaries Include detection summaries in the response
include_external Include external data in the response
src_linked_account Source linked account filter
lookup_entity_info_by_name Retrieve information about an entity (account or host) by its name

Parameters

entity_name Name or partial name of the entity to look up (no spaces allowed)
get_host_details Get complete detailed information about a specific host entity

Parameters

host_id ID of the host entity to retrieve details for (minimum: 1)
lookup_host_by_ip Retrieve information about a host entity by its IP address

Parameters

host_ip IP address of the host to look up (must be valid IPv4 or IPv6)
list_assignments List all investigation assignments with optional filtering by timestamp and resolved state

Parameters

resolved Filter assignments by resolved state (True for resolved, False for unresolved)
created_after List assignments created at or after this timestamp (YYYY-MM-DDTHH:MM:SS)
list_assignments_for_user List all investigation assignments assigned to a user/analyst

Parameters

user_id Vectra platform user ID to retrieve assignments for
resolved Filter assignments by resolved state (True for resolved, False for unresolved)
get_assignment_detail_by_id Retrieve details of a specific investigation assignment

Parameters

assignment_id ID of the assignment to retrieve (minimum: 1)
get_assignment_for_entity Retrieve investigation assignment for a specific account or host

Parameters

entity_ids List of entity IDs to retrieve assignment for
entity_type Type of entity to retrieve assignment for (host or account)
create_assignment Create investigation assignment for an account or host

Parameters

assign_to_user_id ID of the user to assign the entity to (minimum: 1)
assign_entity_id ID of the entity (account or host) to assign
assign_entity_type Type of the entity (account or host) to assign
create_entity_note Add an investigation note to an entity (host or account)

Parameters

entity_id ID of the entity to add note to (minimum: 1)
entity_type Type of entity to add note to (host or account)
note Note text to add to the entity
mark_detection_fixed Marks or unmark detection as fixed

Parameters

detection_ids List of detection IDs to mark as fixed or not fixed
mark_fixed True to mark as fixed, False to unmark as fixed
delete_assignment Unassign or delete an investigation assignment by its ID

Parameters

assignment_id ID of the assignment to delete (minimum: 1)
list_platform_users List users in the Vectra platform

Parameters

role Filter by user role (admins, auditor, global_analyst, read_only, restricted_admins, security_analyst, setting_admins, super_admins)
last_login_after Filter by last login date in ISO format (YYYY-MM-DDTHH:MM:SS)
email Valid email address of the Vectra platform user to filter by
limit Maximum number of users to return (1-1000, default: 1000)
list_lockdown_entities List entities that are currently in lockdown
Summarize Detection Get a detailed summary of a specific detection in Vectra AI platform

Parameters

detection_id ID of the detection to summarize (1-999999)
Visualize Entity Detections Visualize relationship of detections related to a specific entity in Vectra AI platform with an interactive graph

Parameters

entity_id ID of the entity to visualize detections for (1-999999)
graph_theme Theme for the graph visualization (light or dark, default: dark)
🥈
Security Tier
Silver
80
Score
out of 100
Scanned by
orcorus-marketplace-automation
Mar 14, 2026

Security Code Review Report — vectra-ai-rux-mcp-server

1. OWASP Review Methodology Applied

I applied an OWASP-aligned review process as follows:

  • Established architecture/context by reading the main entry point (server.py), configuration (config.py), API client (vectra_client.py), tool handlers under tool/, prompts, logging, and container/runtime configs.
  • Identified trust boundaries and entry points:
  • MCP transport inputs via stdio, sse, and streamable-http in server.py
  • Environment/configuration inputs via .env and runtime environment variables in config.py
  • Outbound network requests to Vectra and token endpoints in vectra_client.py
  • Traced data flows from MCP tool parameters into client request construction and outbound HTTP calls.
  • Modeled threats around SSRF, insecure defaults, authn/authz exposure through HTTP transports, data leakage via logs, and misuse of high-impact management actions.
  • Verified controls such as Pydantic parameter typing, some field constraints, rotating logs, non-root container user, and HTTPS normalization for VECTRA_BASE_URL.
  • Validated findings with concrete code evidence and avoided speculative issues without code support.

2. OWASP Top 10 Category Mapping

Finding OWASP Top 10 2021
Arbitrary outbound token endpoint override can enable SSRF and credential exfiltration A10:2021 Server-Side Request Forgery, A05:2021 Security Misconfiguration, A02:2021 Cryptographic Failures
HTTP transports bind to all interfaces by default A05:2021 Security Misconfiguration, A01:2021 Broken Access Control
No authentication or transport-layer protection visible for exposed HTTP MCP endpoints A01:2021 Broken Access Control, A04:2021 Insecure Design, A07:2021 Identification and Authentication Failures
Broken assignment creation implementation causing unintended destructive action path / insecure design flaw A04:2021 Insecure Design

3. Critical Vulnerabilities

None confirmed.

I did not find evidence of:
- RCE
- shell/command injection
- unsafe deserialization
- eval/exec usage
- SQL injection

4. High Severity Issues

H1. Arbitrary OAuth token endpoint override enables SSRF and credential disclosure

  • Severity: High
  • OWASP: A10, A05, A02
  • Files/lines:
  • config.py:21
  • config.py:89-95
  • vectra_client.py:70-92

Evidence

config.py allows an unrestricted override of the OAuth token endpoint:
- config.py:21oauth_token_url_override: Optional[str] = Field(default=None, alias="VECTRA_OAUTH_TOKEN_URL")
- config.py:91-92 — if set, it is returned directly with no validation

That value is then used directly for a POST request carrying client credentials:
- vectra_client.py:88-92
- url=self.token_url
- Authorization: Basic <base64(client_id:client_secret)>

Why this matters

If an attacker can influence environment variables, deployment configuration, container orchestrator settings, or a CI/CD secret/config source, they can point VECTRA_OAUTH_TOKEN_URL to an attacker-controlled server. The server will then send the Vectra client_id and client_secret in a Basic Authorization header.

This is both:
- SSRF: arbitrary outbound request from the server
- credential exfiltration: secrets are transmitted to the attacker-controlled endpoint

Because the request includes the full client credentials, the impact is high.

Exploitability

Moderate preconditions: attacker must control or influence runtime config/environment. In many real deployments, that is plausible through misconfigured container manifests, poisoned .env, compromised CI variables, or insider threat.

Remediation

  • Restrict token URL to the same trusted Vectra tenant origin as VECTRA_BASE_URL.
  • Validate scheme as https only.
  • Reject non-tenant hosts, localhost, RFC1918/private, link-local, and non-public IPs unless an explicit secure dev mode is enabled.
  • Prefer removing VECTRA_OAUTH_TOKEN_URL override entirely unless there is a documented hard requirement.

Example hardening in config.py:
- Parse both URLs with urllib.parse
- Ensure oauth_token_url_override hostname matches base_url hostname, or a strict allowlist.

H2. HTTP MCP server binds to all network interfaces by default

  • Severity: High
  • OWASP: A05, A01
  • Files/lines:
  • server.py:188-189
  • Dockerfile:30-32
  • docker-compose.yml:22-24
  • README.md examples repeatedly recommend 0.0.0.0

Evidence

Default host binding is all interfaces:
- server.py:188default=os.environ.get("VECTRA_MCP_HOST", "0.0.0.0")
- Dockerfile sets ENV VECTRA_MCP_HOST=0.0.0.0
- docker-compose.yml sets VECTRA_MCP_HOST=${VECTRA_MCP_HOST:-0.0.0.0}

The server starts unauthenticated HTTP transports on that host:
- server.py:114-123streamable-http
- server.py:128-137sse

Why this matters

This exposes the MCP server beyond localhost by default. Since the tools allow access to sensitive tenant security data and state-changing actions (assignment deletion, note creation, detection state updates), broad binding materially increases attack surface.

If deployed on a workstation, server, or container host with accessible networking, any reachable client may interact with the MCP server unless another network layer blocks access.

Exploitability

High likelihood in real deployments because this is the default across code, Docker image, compose file, and README examples.

Remediation

  • Change the default bind address to 127.0.0.1.
  • Require an explicit opt-in for 0.0.0.0 with a warning log.
  • In container examples, document reverse-proxy/TLS/auth requirements before exposing externally.
  • Consider refusing non-local binding unless VECTRA_MCP_ALLOW_REMOTE=true is set.

5. Medium Severity Issues

M1. No authentication or authorization controls are visible for exposed HTTP MCP transports

  • Severity: Medium
  • OWASP: A01, A04, A07
  • Files/lines:
  • server.py:114-137
  • server.py:117 / 131 using self.server.streamable_http_app() and self.server.sse_app()

Evidence

The application exposes HTTP MCP apps directly through Uvicorn:
- app = self.server.streamable_http_app()
- app = self.server.sse_app()
- uvicorn.run(app, host=host, port=port, ...)

I found no code implementing:
- API keys
- bearer token verification
- mutual TLS
- request origin restrictions
- reverse-proxy auth enforcement in code

Why this matters

If HTTP transport is exposed, any reachable party may be able to invoke tools that:
- read sensitive security findings and user/account data
- create notes
- delete assignments
- mark detections fixed

Because this review is limited to the repository, I cannot verify whether FastMCP implicitly provides auth middleware. No such enforcement is configured here.

Exploitability

Depends on deployment exposure. Combined with the all-interface default, risk becomes much more practical.

Remediation

  • Put HTTP transports behind an authenticated reverse proxy by default.
  • Add explicit auth middleware for HTTP transport, such as bearer token verification.
  • Require TLS termination and document trust assumptions.
  • If only local desktop MCP use is intended, disable HTTP transports by default or require explicit enablement.

M2. Assignment creation tool is wired to the delete API instead of create API

  • Severity: Medium
  • OWASP: A04
  • Files/lines:
  • tool/investigation_tools.py:158-195
  • especially tool/investigation_tools.py:195
  • vectra_client.py:610-615

Evidence

The tool named create_assignment builds assignment_data, but then calls:
- tool/investigation_tools.py:195assignment = await self.client.delete_assignment(assignment_data)

The client method expects an integer assignment ID and performs:
- vectra_client.py:614-615DELETE /assignments/{assignment_id}

Why this matters

This is primarily a security-relevant design/logic flaw rather than a classic exploit. A caller attempting to create an assignment may instead trigger a malformed delete path. Depending on framework/runtime coercion and path formatting, this could cause:
- failed operations
- unintended deletion attempts
- unpredictable behavior in downstream logging/monitoring

It also undermines the safety of management actions exposed via MCP.

Exploitability

Moderate. This is a real code defect, though impact depends on runtime behavior.

Remediation

  • Replace the call with await self.client.create_assignment(assignment_data).
  • Add an integration test for assignment creation.
  • Validate response schema before dereferencing nested fields.

M3. Insecure default/documented deployment pattern encourages unauthenticated remote exposure

  • Severity: Medium
  • OWASP: A05, A04
  • Files/lines:
  • README.md multiple examples using --host 0.0.0.0
  • docker-compose.yml:7-9, 22-24
  • Dockerfile:30-32

Evidence

The project documentation and container defaults consistently steer users toward network exposure without paired auth/TLS guidance.

Examples:
- README.md local and Docker examples use 0.0.0.0
- docker-compose.yml publishes 8000:8000
- Dockerfile exposes port 8000

Why this matters

This is a deployment-hardening issue. Projects often become insecure because insecure defaults are copied verbatim into production.

Remediation

  • Document localhost-first usage.
  • For remote deployments, require reverse proxy auth + TLS in examples.
  • Provide a secure compose example with loopback binding or an authenticated proxy.

6. Low Severity Issues

L1. Token endpoint override does not enforce HTTPS

  • Severity: Low
  • OWASP: A02, A05
  • Files/lines:
  • config.py:89-95

Evidence

base_url is normalized to a URL and commonly becomes HTTPS if no scheme is supplied, but oauth_token_url_override is returned directly with no scheme validation.

Why this matters

If someone sets an http:// token endpoint override, client credentials may traverse plaintext channels.

Remediation

  • Require https:// for any token URL override.
  • Reject cleartext HTTP except perhaps in a guarded local dev mode.

L2. Broad auto-pagination can amplify data exposure and DoS risk for large tenants

  • Severity: Low
  • OWASP: A04
  • Files/lines:
  • vectra_client.py:254-355
  • tool/detection_tools.py multiple methods set auto_paginate = True
  • tool/entity_tools.py:243

Evidence

Several tools enable auto-pagination and fetch up to max_pages=1000.

While result display is later limited in some tools, the backend still retrieves all pages first.

Why this matters

A remote caller can request expensive enumerations over large tenants, increasing load on both this server and the Vectra API.

Remediation

  • Enforce server-side maximum items/pages based on the requested limit.
  • Do not auto-paginate by default for remote HTTP transports.
  • Add per-tool bounds and request budgeting.

7. Key Risk Characteristics

Finding H1 — OAuth token endpoint override SSRF/credential disclosure

  • Exploitability: Medium
  • Impact: High, because OAuth client credentials can be exfiltrated
  • Likelihood: Medium
  • Preconditions: Attacker can alter environment/config/deployment variables
  • Business impact: Compromise of Vectra API credentials may expose tenant security telemetry and permit unauthorized actions

Finding H2 — Bind to all interfaces by default

  • Exploitability: High
  • Impact: High when combined with reachable network path and no auth
  • Likelihood: High, because it is the default in code/docs/container config
  • Preconditions: HTTP transport enabled and host network reachable
  • Business impact: Unauthorized access to threat data and security operations

Finding M1 — No visible auth on HTTP MCP transport

  • Exploitability: Medium to High depending on deployment
  • Impact: High for exposed deployments
  • Likelihood: Medium
  • Preconditions: HTTP transport enabled and network reachability
  • Business impact: Data exposure and unauthorized state changes in the Vectra tenant

Finding M2 — Miswired assignment creation

  • Exploitability: Medium
  • Impact: Medium
  • Likelihood: High once feature is used
  • Preconditions: Tool caller invokes assignment creation
  • Business impact: Operational integrity issue; could lead to failed or unintended assignment operations

8. Positive Security Practices

The repository also shows several good practices:

  • Non-root container user in Dockerfile.
  • Typed and constrained MCP tool inputs via Pydantic annotations (Field, Literal, IPvAnyAddress, numeric bounds).
  • Reasonable HTTP client timeouts and connection limits in vectra_client.py.
  • Retry logic for transient network failures using tenacity.
  • Sensitive log filtering in utils/logging.py to mask common secrets and bearer tokens.
  • Date parsing/validation in utils/validators.py.
  • No dangerous dynamic execution found (eval, exec, shell spawning, unsafe deserialization absent).
  • Dependency versions are pinned minimally and uv.lock exists, which is better than completely floating installs.

9. Recommendations

Priority 1

  1. Remove or strictly validate VECTRA_OAUTH_TOKEN_URL override
  2. Files: config.py:21, config.py:89-95, vectra_client.py:88-92
  3. Fix: enforce HTTPS and same-origin/allowlist validation.

  4. OWASP: A10, A05, A02

  5. Change HTTP bind default from 0.0.0.0 to 127.0.0.1

  6. Files: server.py:188-189, Dockerfile:30-32, docker-compose.yml:22-24
  7. Fix: require explicit opt-in for remote binding.

  8. OWASP: A05, A01

  9. Add authentication for HTTP MCP transports or require authenticated reverse proxy

  10. Files: server.py:114-137, deployment docs in README.md
  11. Fix: bearer/API-key middleware or reverse-proxy auth; document TLS requirement.
  12. OWASP: A01, A04, A07

Priority 2

  1. Fix assignment creation logic
  2. Files: tool/investigation_tools.py:195, vectra_client.py:610-615
  3. Fix: replace delete_assignment with create_assignment.

  4. OWASP: A04

  5. Reduce enumeration blast radius from auto-pagination

  6. Files: vectra_client.py:254-355, detection/entity tools
  7. Fix: cap total items/pages according to caller limit and transport mode.
  8. OWASP: A04

Priority 3

  1. Harden documentation and examples
  2. Files: README.md, docker-compose.yml
  3. Fix: prefer localhost binding and add secure remote deployment guidance.

  4. OWASP: A05

  5. Add security-focused integration tests

  6. Token URL override validation
  7. Remote binding safeguards
  8. Auth required for HTTP transport
  9. Assignment creation path correctness

10. Next Tier Upgrade Plan

Likely current tier: Bronze

Rationale:
- Good basic coding hygiene and some input validation
- But insecure network exposure defaults and lack of visible HTTP auth controls prevent a higher rating

Next target tier: Silver

Concrete actions to reach Silver

  1. Lock down transport exposure
  2. Default to 127.0.0.1
  3. Explicit opt-in for remote HTTP
  4. Add HTTP auth and document TLS/reverse proxy requirements
  5. API key or bearer token validation
  6. Eliminate SSRF/credential exfil path
  7. Remove or constrain VECTRA_OAUTH_TOKEN_URL
  8. Fix security-relevant logic defects
  9. Correct create_assignment
  10. Constrain resource consumption
  11. Bound pagination and expensive list operations
  12. Add deployment hardening docs
  13. Secure compose/reverse proxy examples
  14. Add automated tests for the above controls

What would be needed for Gold later

  • Strong authn/authz model for HTTP transports
  • Default secure deployment templates with TLS and auth proxy
  • Fine-grained audit logging for sensitive actions
  • Security regression tests in CI
  • Threat-model documentation and explicit trust-boundary docs

Finding Summary Table

ID Severity Title File:Line
H1 High Arbitrary OAuth token endpoint override enables SSRF and credential disclosure config.py:21, config.py:89-95, vectra_client.py:70-92
H2 High HTTP server binds to all interfaces by default server.py:188-189, Dockerfile:30-32, docker-compose.yml:22-24
M1 Medium No visible authentication/authorization for exposed HTTP transports server.py:114-137
M2 Medium Assignment creation tool incorrectly calls delete API tool/investigation_tools.py:195, vectra_client.py:610-615
M3 Medium Documentation and container defaults encourage insecure remote exposure README.md, docker-compose.yml, Dockerfile
L1 Low Token URL override does not enforce HTTPS config.py:89-95
L2 Low Auto-pagination can amplify data exposure and resource consumption vectra_client.py:254-355, related tool files

Final Assessment

This repository does not appear to contain critical code-execution or injection flaws. The main security concerns are deployment and trust-boundary issues: remote exposure by default, no visible HTTP auth enforcement, and an SSRF/credential-exfiltration path through unvalidated token URL override. These should be addressed before recommending exposed HTTP deployment.

0.0
0 reviews
5
0%
4
0%
3
0%
2
0%
1
0%

Sign in to leave a review

Sign in via Orcorus
0
0

No reviews yet — be the first!

Connect →
0.0
★ Rating
25
Tools
0
Installs

Configuration

VECTRA_CLIENT_SECRET required 🔒 password
VECTRA_CLIENT_SECRET

Configure the connection to Vectra AI RUX MCP Server

VECTRA_BASE_URL string
VECTRA_BASE_URL

The base URL of the Vectra AI RUX MCP Server

VECTRA_CLIENT_ID string
VECTRA_CLIENT_ID

123456789

Docker Image

Docker Hub
mcp/vectra-ai-rux-mcp-server

Links

Source Commit

Published by github.com/vectra-ai-research

Similar Servers

PX
Proxmox
0.0