ManualMind

CRITICAL: The `eval()` function is used in `main.py` to deserialize `processed_files` retrieved from Redis. If a malicious actor gains access to the Redis instance (which is unauthenticated within the Docker network), they could inject arbitrary Python code into the `processed_files` key, leading to Remote Code Execution (RCE). CRITICAL: The `/query` endpoint in `main.py` is explicitly public (no API key required), allowing unauthenticated and unmonitored access to the core LLM query functionality, leading to potential abuse, high OpenAI costs, and prompt injection risks despite internal sanitization efforts. CRITICAL: The MCP server's HTTP endpoints (`/tools`, `/call`, `/query`, `/status`, `/process`, `/llm-models`) are unauthenticated. While it uses `MANUALMIND_API_KEY` for calls to the main ManualMind backend for some tools, the direct access to the MCP server's HTTP layer is unprotected, relying only on rate limiting. This exposes sensitive operations (e.g., triggering `process_documents`) to unauthorized callers. MEDIUM: Redis is configured without authentication within the Docker network. Given the RCE vulnerability with `eval()` and the unauthenticated MCP server, this setup presents a significant attack surface if any component in the network is compromised or misconfigured.