제출 #856816: poco-ai poco-agent 0.5.4 Authorization Bypass Through User-Controlled Key (CWE-639)정보

제목poco-ai poco-agent 0.5.4 Authorization Bypass Through User-Controlled Key (CWE-639)
설명# Technical Details An unauthenticated task capability resolution bypass exists in the `create_task` method in `executor_manager/app/api/v1/tasks.py` of poco-agent. The executor-manager exposes `POST /api/v1/tasks` accepting caller-controlled `user_id` and nested capability selections (`skill_ids`, `plugin_ids`, `mcp_server_ids`). The request path trusts the nested `config.user_id` as the effective identity for backend capability resolution and resolves explicit capability IDs without applying visibility checks. By contrast, the preset creation path in `backend/app/services/preset_service.py` explicitly validates that requested IDs are visible to the user — showing the intended authorization invariant exists but is bypassed at task-time. # Vulnerable Code File: executor_manager/app/schemas/task.py Method: TaskConfig / TaskCreateRequest schema Why: Explicitly permits attacker-controlled `skill_ids`, `plugin_ids`, `mcp_server_ids`, and a nested `config.user_id`. File: executor_manager/app/services/config_resolver.py Method: Capability resolution (skill, plugin, MCP dispatch) Why: Forwards raw attacker-selected IDs to backend internal resolve APIs under the effective `user_id` without verifying visibility before backend resolution. File: backend/app/services/skill_config_service.py / plugin_config_service.py / mcp_config_service.py Method: resolve_explicit_ids Why: Materializes requested IDs directly with `get_by_id()` before any ownership or visibility validation, unlike the preset path which enforces visibility checks. # Reproduction 1. Create a hidden skill (e.g., ID 8) visible only to certain users, not the victim. 2. Send an unauthenticated POST to executor-manager /api/v1/tasks with top-level `user_id` set to attacker and nested `config.user_id` set to victim, plus `skill_ids=[8]`. 3. Observe the backend resolves `hidden-skill` for the victim context even though the victim cannot list it. 4. Confirm that sending the same hidden skill ID through the preset API path returns 400 "Invalid skill ids", proving the task-time path bypasses the guard. # Impact - Injection of non-visible skills, plugins, or MCP servers into another user's effective runtime context. - Breaks the product's capability isolation model. - Can expose internal-only tooling, privileged integrations, and side-effecting execution paths to unauthorized users.
원천⚠️ https://github.com/poco-ai/poco-claw/issues/140
사용자
 Erichen (UID 98955)
제출2026. 06. 12. AM 10:35 (1 월 ago)
모더레이션2026. 07. 17. AM 07:44 (1 month later)
상태중복
VulDB 항목379757 [poco-ai poco-claw 까지 0.5.4 executor_manager API tasks.py create_task 약한 인증]
포인트들0

Want to know what is going to be exploited?

We predict KEV entries!