@grackle-ai/mcp has a workspace authorization bypass in its knowledge_search MCP tool
The knowledge_search and knowledge_get_node MCP tools are included in SCOPED_TOOLS (visible to scoped agents) but their handlers do not receive authContext and do not enforce workspace scoping. A scoped agent in Workspace A can supply an arbitrary workspaceId parameter to search or retrieve knowledge graph nodes from Workspace B, bypassing workspace isolation boundaries. This is a cross-workspace data leakage vulnerability affecting any deployment where multiple workspaces contain sensitive knowledge graph …