Skip to main content

AgenticMail CVE-2026-47255

HIGH
Improper Input Validation (CWE-20)
2026-05-29 https://github.com/agenticmail/agenticmail GHSA-wjjv-3mj2-39hf
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
May 29, 2026 - 19:46 vuln.today
Analysis Generated
May 29, 2026 - 19:46 vuln.today

DescriptionCVE.org

The current upstream main branch at commit 7e0206d was reviewed, and the fix-first patch set was rebased on 2026-05-18. The patches cover: validated and bound inactive-agent hour filtering; storage SQL identifier validation; metadata-backed ownership checks for raw storage SQL; blocking direct storage metadata access through raw SQL; fail-closed outbound worker secret handling; SMTP envelope/header control-character validation before command construction; and TLS certificate verification as the default for MailSender with an explicit opt-out for local development. Validation completed locally with targeted API/Core security tests plus API/Core builds. The security patch branch was not published publicly because te repository's SECURITY.md asks reporters not to open public vulnerability issues.

AnalysisAI

Multiple input-validation and outbound-channel hardening defects in AgenticMail (npm @agenticmail/api ≤ 0.9.31 and @agenticmail/core ≤ 0.9.9) allow tenants to bypass storage ownership checks via raw SQL, reach cross-agent metadata, and cause the MailSender to transmit credentials over channels lacking certificate verification or with attacker-controlled SMTP headers. Tagged as information disclosure, the issue class is CWE-20 (improper input validation); no public exploit code has been identified at time of analysis and the vendor explicitly withheld the security patch branch from public release per their SECURITY.md, so weaponization risk is currently limited despite confirmed code-level fixes. Real-world impact is highest for multi-tenant AgenticMail deployments handling agent-owned mailboxes and outbound relay secrets.

Technical ContextAI

AgenticMail is a TypeScript/Node.js agent-email platform distributed as the @agenticmail/api HTTP layer and the @agenticmail/core mail stack (CPEs pkg:npm/@agenticmail_api and pkg:npm/@agenticmail_core). The root cause class is CWE-20 (Improper Input Validation) spanning several subsystems: the storage router accepted user-controlled SQL fragments - identifiers in GROUP BY/ORDER BY were unvalidated, comma-joined FROM lists (e.g. FROM agt_mine, agt_victim) bypassed the FROM/JOIN-anchored table-extraction regex so verifySqlAccess never ran on the second table, the agenticmail_storage_meta metadata table could be referenced directly by raw SQL, and the HAVING clause was interpolated raw because aggregate expressions could not be identifier-validated. The patch adds a storageTokenPattern backstop matching every agt_*/shared_*/agenticmail_storage_meta token anywhere in the query and a sanitizeHavingClause that bounds length to 200 chars and rejects ;, --, /*, */, and DDL/DML keywords (DROP, DELETE, UNION, ATTACH, PRAGMA, etc.). On the mail side, packages/core/src/mail/sender.ts previously defaulted TLS certificate verification off; the fix flips the default to verify with an explicit opt-out for local dev, alongside SMTP envelope/header control-character validation and fail-closed handling of outbound-worker secrets.

RemediationAI

Vendor-released patch: upgrade @agenticmail/api to 0.9.32 and @agenticmail/core to 0.9.10 from npm; both must be upgraded together because the storage hardening (api) and MailSender TLS/SMTP fixes (core) are split across packages. Patch commits are 1408de543fa3577d8c2d4fdb289c75fe6faafac7, 234b811e426a0743170f3b10bc43419d64330155, 6c70c8254c906f823392d7f5ccee88a5481e7731, and 8cb053f2307dd77b7736ffa0d7df04b0ccc3272d under github.com/agenticmail/agenticmail, with the advisory at https://github.com/agenticmail/agenticmail/security/advisories/GHSA-wjjv-3mj2-39hf. If immediate upgrade is not possible, compensating controls with explicit trade-offs: restrict the storage raw-SQL/HAVING routes to a trusted internal allow-list (breaks any agent that legitimately uses raw-SQL queries); block direct references to agenticmail_storage_meta and any agt_* table not owned by the calling tenant at a proxy layer (requires maintaining a per-tenant ownership map externally); for the MailSender issue, explicitly set TLS certificate verification on in configuration and route outbound SMTP only through TLS-terminated relays you control (loses the local-dev opt-out convenience but eliminates the MITM exposure); and rotate any SMTP credentials that may have transited a verification-disabled connection before patching.

Share

CVE-2026-47255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy