MCP Server Not Respecting Duo Availability Settings

User problem to solve

MCP server bypasses GitLab Duo access controls, exposing project data even when Duo features are disabled by admins.

Proposal

Add duo_features_enabled checks to MCP tools.
For SaaS, if the setting of any top level namespace that the user is a member of is enabled, allow access.
For Self-Managed, if the setting of the instance is enabled, allow access.

Original Issue

Background

Currently, the MCP server operates independently of Duo authentication settings, potentially creating a security concern. This means that resources that should be protected by Duo authentication could potentially be accessed through the MCP server without proper Duo verification.

Current Behavior:

MCP server operates independently of "Duo features enabled" setting
Access to resources through MCP server may bypass intended Duo authentication requirements

Proposed Behavior:

MCP server should respect Duo authentication settings
Resources protected by Duo should require proper authentication even when accessed through MCP server

Security Impact: This disconnect between MCP server and Duo settings could potentially create an authentication bypass vulnerability for resources that should be Duo-protected.

Description was generated using AI

Edited Nov 13, 2025 by Tan Le