| Title | poco-ai poco-agent 0.5.4 Authorization Bypass Through User-Controlled Key (CWE-639) |
|---|
| Description | # Technical Details
An unauthenticated task capability resolution bypass exists in the `create_task` method in `executor_manager/app/api/v1/tasks.py` of poco-agent.
The executor-manager exposes `POST /api/v1/tasks` accepting caller-controlled `user_id` and nested capability selections (`skill_ids`, `plugin_ids`, `mcp_server_ids`). The request path trusts the nested `config.user_id` as the effective identity for backend capability resolution and resolves explicit capability IDs without applying visibility checks. By contrast, the preset creation path in `backend/app/services/preset_service.py` explicitly validates that requested IDs are visible to the user — showing the intended authorization invariant exists but is bypassed at task-time.
# Vulnerable Code
File: executor_manager/app/schemas/task.py
Method: TaskConfig / TaskCreateRequest schema
Why: Explicitly permits attacker-controlled `skill_ids`, `plugin_ids`, `mcp_server_ids`, and a nested `config.user_id`.
File: executor_manager/app/services/config_resolver.py
Method: Capability resolution (skill, plugin, MCP dispatch)
Why: Forwards raw attacker-selected IDs to backend internal resolve APIs under the effective `user_id` without verifying visibility before backend resolution.
File: backend/app/services/skill_config_service.py / plugin_config_service.py / mcp_config_service.py
Method: resolve_explicit_ids
Why: Materializes requested IDs directly with `get_by_id()` before any ownership or visibility validation, unlike the preset path which enforces visibility checks.
# Reproduction
1. Create a hidden skill (e.g., ID 8) visible only to certain users, not the victim.
2. Send an unauthenticated POST to executor-manager /api/v1/tasks with top-level `user_id` set to attacker and nested `config.user_id` set to victim, plus `skill_ids=[8]`.
3. Observe the backend resolves `hidden-skill` for the victim context even though the victim cannot list it.
4. Confirm that sending the same hidden skill ID through the preset API path returns 400 "Invalid skill ids", proving the task-time path bypasses the guard.
# Impact
- Injection of non-visible skills, plugins, or MCP servers into another user's effective runtime context.
- Breaks the product's capability isolation model.
- Can expose internal-only tooling, privileged integrations, and side-effecting execution paths to unauthorized users. |
|---|
| Source | ⚠️ https://github.com/poco-ai/poco-claw/issues/140 |
|---|
| User | Erichen (UID 98955) |
|---|
| Submission | 06/12/2026 10:35 (1 month ago) |
|---|
| Moderation | 07/17/2026 07:44 (1 month later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 379757 [poco-ai poco-claw up to 0.5.4 executor_manager API tasks.py create_task missing authentication] |
|---|
| Points | 0 |
|---|