mcp-studio

CRITICAL security vulnerabilities are present. The JWT `SECRET_KEY` is hardcoded to 'your-secret-key-here', making authentication tokens easily forgeable. Password hashing is temporarily set to `plaintext`, meaning user passwords are not securely stored or verified. These two issues render the authentication system fundamentally insecure. Furthermore, the `/api/v1/dev` and `/api/v1/data` endpoints utilize dangerous functions like `exec()` and `eval()` for code profiling, debugging, and data transformations. While these are behind the compromised authentication, they pose severe Remote Code Execution (RCE) risks if an attacker bypasses or compromises authentication. The `/api/v1/files` endpoints expose powerful filesystem operations (list, upload, create, delete) which, despite path sanitization attempts, could be exploited given the weak authentication. CORS is also set to allow all origins (`*`), which is too permissive for production.