Skip to main content

Inkeep Agents CVE-2026-8321

| EUVDEUVD-2026-29212 MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-11 VulDB GHSA-mv62-653x-7444
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 11, 2026 - 20:37 NVD
HIGH MEDIUM
CVSS changed
May 11, 2026 - 20:37 NVD
7.3 (HIGH) 5.5 (MEDIUM)
Analysis Generated
May 11, 2026 - 20:31 vuln.today
CVE Published
May 11, 2026 - 19:45 nvd
HIGH 7.3

DescriptionCVE.org

A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware. Performing a manipulation results in authentication bypass using alternate channel. The attack is possible to be carried out remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Authentication bypass in Inkeep Agents 0.58.14 allows remote unauthenticated attackers to circumvent authentication controls via alternate channel manipulation in the runAuth middleware. The vulnerability exists in the createDevContext function of agents-api/src/middleware/runAuth.ts, enabling unauthorized access to protected resources with low impact to confidentiality, integrity, and availability. Publicly available exploit code exists (GitHub issue #3024), and the vendor has not yet responded to the vulnerability report, meaning no patch is currently available.

Technical ContextAI

The vulnerability resides in the runAuth middleware component of Inkeep Agents, specifically within the createDevContext function. This middleware is responsible for authentication enforcement in the agents API layer. The root cause is CWE-288 (Authentication Bypass Using an Alternate Path or Channel), indicating the authentication mechanism can be circumvented by accessing protected functionality through an unvalidated or improperly secured code path. The createDevContext function likely creates a development or testing context that inadvertently exposes privileged functionality without proper authentication checks when invoked through specific pathways. This architectural flaw allows attackers to exploit developer-intended features in production deployments, a common issue when development scaffolding is not properly isolated from production code paths.

RemediationAI

No vendor-released patch exists at time of analysis. The vendor (Inkeep) has not responded to the vulnerability report filed through GitHub issue #3024. In the absence of an official fix, implement compensating controls: (1) Upgrade to a version newer than 0.58.14 if available in the repository, verifying the createDevContext function has been removed or properly secured in agents-api/src/middleware/runAuth.ts. (2) If upgrade is not possible, review and disable the createDevContext function entirely by modifying runAuth.ts, though this may break development workflows if they depend on this context. (3) Restrict network access to the agents-api endpoint to trusted IP ranges only using firewall rules or reverse proxy ACLs, reducing exposure to authenticated internal users only-this mitigates the AV:N vector but does not fix the underlying authentication bypass. (4) Deploy runtime application security (RASP) or WAF rules to detect and block requests attempting to invoke createDevContext paths. Monitor the GitHub repository at https://github.com/inkeep/agents/ for patch commits and subscribe to https://vuldb.com/vuln/362608 for updates. All mitigations are temporary; plan to migrate away from this product if vendor remains unresponsive.

Share

CVE-2026-8321 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy