Security: MCP server defaults to public network binding

[tomaioo]

Summary

Security: MCP server defaults to public network binding

Problem

Severity: High | File: dimos/core/global_config.py:L44

The global configuration sets mcp_host to 0.0.0.0, which typically exposes the MCP server on all network interfaces. If MCP endpoints allow tool invocation or robot control without strong authentication, this can allow unauthorized remote access and command execution over the network.

Solution

Change the default host to 127.0.0.1 (or a Unix socket) and require explicit opt-in for external binding. Add mandatory authentication/authorization (e.g., mTLS or token-based auth) for non-local access, and document secure deployment defaults.

Changes

• dimos/core/global_config.py (modified)

[greptile-apps]

Greptile Summary

This PR changes the default mcp_host binding in GlobalConfig from 0.0.0.0 (all interfaces) to 127.0.0.1 (loopback only), preventing unintentional exposure of the MCP server on external network interfaces. The fix is minimal and correct; users can still opt into external binding by setting the MCP_HOST environment variable or overriding via .env.

Confidence Score: 5/5

Safe to merge — single-line default change is correct and reduces attack surface with no functional regression for local use.

The change is minimal, correct, and directly addresses the stated security concern. pydantic-settings naturally provides opt-in override via MCP_HOST env var for users who need external binding. No logic issues, no other files affected, and no remaining P0/P1 findings.

No files require special attention.

Important Files Changed

Filename	Overview
dimos/core/global_config.py	Single-line change: mcp_host default changed from "0.0.0.0" to "127.0.0.1", correctly restricting MCP server to loopback-only by default.

Sequence Diagram

sequenceDiagram
    participant User
    participant GlobalConfig
    participant MCPServer
    participant Uvicorn

    User->>GlobalConfig: Instantiate (reads env / .env)
    Note over GlobalConfig: mcp_host defaults to "127.0.0.1"<br/>(was "0.0.0.0" before this PR)
    User->>MCPServer: _start_server(port=None)
    MCPServer->>GlobalConfig: global_config.mcp_host
    GlobalConfig-->>MCPServer: "127.0.0.1"
    MCPServer->>GlobalConfig: global_config.mcp_port
    GlobalConfig-->>MCPServer: 9990
    MCPServer->>Uvicorn: Config(app, host="127.0.0.1", port=9990)
    Uvicorn-->>MCPServer: server
    MCPServer->>Uvicorn: server.serve()
    Note over Uvicorn: Binds only to loopback<br/>(not reachable externally)

Loading

_{Reviews (1): Last reviewed commit: "fix(security): mcp server defaults to pu..." | Re-trigger Greptile}