Severity: Critical
CVSS Score: 9.3
## Summary The MCP router (ext_proc) exposes an `initialize`-method code path that, when a request carries an `mcp-init-host` header, bypasses the gateway JWT session validator and rewrites the upstream `:authority` header to whatever the caller chooses, gated only by a single shared header value (`router-key`). The shared value is * a literal string (`secret-api-key`) baked into `cmd/mcp-broker-router/main.go` as a fall-back default, and * in controller-managed deployments, a SHA-256 truncation of the `MCPGatewayExtension` UID — a non-secret value visible to anyone with `get` permission on the resource, and additionally exposed in `argv` because it is passed to the broker-router container via `--mcp-router-key=...`. A request that satisfies the trivial header check is forwarded to any backend listener registered with the gateway (including external services such as `api.githubcopilot.com` when configured), bypassing both the broker (where the signed `x-mcp-authorized` capability filter is enforced) and the gateway's JWT-based session model.