If served by FastMCP / uvicorn:

To: abuse@ovh.net Cc: contact@alcy.fr, abuse@nuclide-research.com Subject: Unauthenticated Alcy CRM MCP server (22-tool customer/work-order CRUD) on OVH dedicated server, 188.165.203.72:8000

Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com

2026-05-04

Re: Unauthenticated Alcy MCP Simple server exposing 22-tool CRM CRUD IP / Host: 188.165.203.72 (rDNS ns310744.ovh.net, OVH dedicated server, France) Severity: CRITICAL

I’m an independent security researcher conducting good-faith AI infrastructure research under the NuClide Research umbrella (CISA disclosures CVE-2025-4364, ICSA-25-140-11). This is an unsolicited coordinated-disclosure notification.

Summary

An OVH dedicated-server customer at 188.165.203.72:8000 is running an unauthenticated Model Context Protocol (MCP) server identifying itself as Alcy MCP Simple v3.2.0. The server exposes 22 tools mapping to admin operations on what appears to be a deployment of alcy.fr, a French field-service / facility-management SaaS, as a JSON-RPC API readable + writable by any unauthenticated internet caller.

Found during NuClide Research’s cross-cloud MCP survey (2026-05-04). Full case study: AI-LLM-Infrastructure-OSINT/blob/main/case-studies/commercial/mcp-cloud-survey-2026-05.md

Confirmed exposure

POST / returns a successful initialize response (Alcy MCP Simple v3.2.0). tools/list enumerates 22 callable tools, all unauthenticated:

Read tools (CRM data exfil):

search_clients, search_installations, search_ordre_mission, search_intervention,
search_contact, search_produit, search_installation_produit, search_ticket,
search_contrat_produit, search_intervention_produit, search_evts,
get_entity_history, search_agence, search_user, get_server_datetime

Mutate tools (record creation + modification):

add_evt, patch_ticket, patch_ordre_mission, patch_intervention,
create_ticket, create_ordre_mission, create_intervention

Verification was non-destructive: only initialize and tools/list JSON-RPC methods were called. No client records were retrieved, no tickets were created, no work orders were modified.

Why it matters

The exposed MCP server represents unauthenticated read+write access to a service-provider operations database:

• Customer rolodex, search_clients, search_contact enumerate customer identities
• Operational records, search_ordre_mission (work orders), search_intervention (technician visits), search_ticket, search_contrat_produit (contracts), get_entity_history (audit trail)
• Mutation primitives, create_ticket, create_ordre_mission, patch_intervention allow attacker to inject fake work orders or modify existing records
• Operator/team identification, search_user, search_agence enumerate internal users + branch offices

For a French customer-facing SaaS (alcy.fr), this constitutes a significant data-protection / GDPR-relevant exposure. Customer data is reachable without authentication; operator’s internal user list is enumerable.

Remediation

Bind the MCP transport to localhost or restrict via firewall:

# If served by FastMCP / uvicorn:
uvicorn alcy_mcp:app --host 127.0.0.1 --port 8000

# Or firewall:
ufw deny 8000/tcp
ufw allow from <admin-IP> to any port 8000

If MCP integration is needed for AI client tooling, route through a reverse-proxy with API-key auth at the proxy layer.

Reference

Full technical details (tool list, mutation surface analysis, methodology): AI-LLM-Infrastructure-OSINT/blob/main/case-studies/commercial/mcp-cloud-survey-2026-05.md

(Search for “F0a, Alcy MCP Simple” in the document.)

I’m CC’ing contact@alcy.fr directly in case the customer of OVH is the Alcy team itself (the server’s tools enumerate alcy.fr admin URLs in their descriptions).

Happy to answer questions or assist with verification.

Regards, Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com AI-LLM-Infrastructure-OSINT