Problem
When the optimizer is enabled with Cedar authorization, find_tool can return backend tool names and descriptions that the user is not authorized to call.
Cedar authz gates tools/list via response filtering (checking each tool against the user's policies) and gates tools/call via request authorization. But when a user calls find_tool, Cedar only checks whether the user is authorized to call Tool::"find_tool" itself — it does not filter the search results against the user's per-tool policies. The optimizer searches its full embedding store and returns matching backend tools regardless of the caller's authorization.
This is an information disclosure issue: a user who is permitted to use find_tool can discover the names and descriptions of tools they are explicitly denied access to.
Steps to reproduce
- Configure a vMCP server with the optimizer enabled and Cedar authorization
- Add a Cedar policy that permits
find_tool but denies a specific backend tool (e.g., Tool::"admin_tool")
- Call
find_tool with a query that matches admin_tool
find_tool returns admin_tool in its results despite the user lacking authorization
Expected behavior
find_tool results should be filtered against the caller's Cedar policies so that unauthorized tools are not disclosed.
Related: #4373
Generated with Claude Code
Problem
When the optimizer is enabled with Cedar authorization,
find_toolcan return backend tool names and descriptions that the user is not authorized to call.Cedar authz gates
tools/listvia response filtering (checking each tool against the user's policies) and gatestools/callvia request authorization. But when a user callsfind_tool, Cedar only checks whether the user is authorized to callTool::"find_tool"itself — it does not filter the search results against the user's per-tool policies. The optimizer searches its full embedding store and returns matching backend tools regardless of the caller's authorization.This is an information disclosure issue: a user who is permitted to use
find_toolcan discover the names and descriptions of tools they are explicitly denied access to.Steps to reproduce
find_toolbut denies a specific backend tool (e.g.,Tool::"admin_tool")find_toolwith a query that matchesadmin_toolfind_toolreturnsadmin_toolin its results despite the user lacking authorizationExpected behavior
find_toolresults should be filtered against the caller's Cedar policies so that unauthorized tools are not disclosed.Related: #4373
Generated with Claude Code