| タイトル | OpenBMB XAgent v1.0.0 CWE-306 |
|---|
| 説明 | # Technical Details
A Missing Authentication vulnerability exists in the ShareServer.on_connect() method in XAgentServer/application/websockets/share.py (line 109) of XAgent.
The check_user() authentication call is commented out in share.py:109, meaning the /ws/share/{interaction_id} WebSocket endpoint accepts connections with completely fabricated credentials. Once connected, sending {"type": "shared"} causes the server to stream the complete execution history of any interaction - including third-party API keys stored in plaintext in raw.data.using_tools.tool_input.api_key. No valid account, no path traversal, no special tooling required.
# Vulnerable Code
File: XAgentServer/application/websockets/share.py (line 109)
Method: on_connect()
Why: The line "await check_user(db=self.db, user_id=user_id, token=token)" is commented out. The connection is accepted before any auth check. Any username and token, real or fabricated, passes.
File: XAgentServer/application/websockets/share.py (lines 173-198)
Method: send_data()
Why: Calls search_many_raws(interaction_id=self.client_id) where self.client_id is the attacker-controlled URL path parameter, with no ownership filter.
File: XAgentServer/database/interface/interaction.py (lines 394-406)
Method: search_many_raws()
Why: Filters only by interaction_id - no user_id check, returns all records to any caller.
File: XAgent/function_handler.py (lines 275-281)
Why: Stores api_key in plaintext in using_tools["tool_input"], which flows to the MySQL raw table.
# Reproduction
1. Deploy XAgent via Docker (docker compose up -d).
2. A victim user runs a task that invokes any RapidAPI tool with api_key - this is stored unmasked in the raw table automatically.
3. Attacker connects to /ws/share/{victim_interaction_id} with completely fake credentials (user_id=NOBODY, token=FAKE) - server accepts the connection.
4. Attacker sends {"type": "shared"} - server streams ALL raw records of the victim's interaction, including plaintext api_key.
# Impact
- Unauthenticated credential theft: Any person who can reach the XAgent server can steal third-party API keys from any user without any account.
- Complete interaction history exposure: Full task history including goals, plans, tool arguments, and results readable by anyone.
- Zero-privilege attack: No authentication, no path traversal, no special tooling - just a WebSocket connection and a known interaction_id. |
|---|
| ソース | ⚠️ https://gist.github.com/YLChen-007/531ec6b169f4b9ecbc8c2f0b2cd7c5ee |
|---|
| ユーザー | Eric-z (UID 95890) |
|---|
| 送信 | 2026年03月11日 14:21 (19 日 ago) |
|---|
| モデレーション | 2026年03月27日 09:08 (16 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 353836 [OpenBMB XAgent 1.0.0 ShareServer WebSocket Endpoint share.py check_user interaction_id 弱い認証] |
|---|
| ポイント | 20 |
|---|