提交 #811314: inkeep agents 0.58.14 Authentication Bypass (CWE-288)信息

标题	inkeep agents 0.58.14 Authentication Bypass (CWE-288)
描述	# Technical Details An Authentication Bypass vulnerability exists in the `createDevContext` function in `agents-api/src/middleware/runAuth.ts` of inkeep agents. The application fails to properly validate inputs and authenticate requests when the application is running in `development` or `test` mode, trusting the unverified `x-inkeep-tenant-id`, `x-inkeep-project-id`, and `x-inkeep-agent-id` HTTP headers. # Vulnerable Code File: agents-api/src/middleware/runAuth.ts Method: createDevContext Why: The function blindly prioritizes external `x-inkeep-*` HTTP headers over safe test defaults to construct a dummy user execution context, which allows bypassing strict API key authentication when developer bypass secrets or API keys are missing. # Reproduction 1. Ensure the agents-api application is running locally with `ENVIRONMENT=development` (which is the default). 2. Identify a protected endpoint, such as `/run/agents/{agent_id}/chat`. 3. Submit an unauthenticated POST request and inject targeted execution context parameters via the `x-inkeep-tenant-id`, `x-inkeep-project-id`, and `x-inkeep-agent-id` headers (e.g., `curl -X POST "http://localhost:3002/run/agents/target-agent/chat" -H "x-inkeep-tenant-id: hacked-tenant" ...`). # Impact - Authentication Bypass & Privilege Escalation (Tenant Takeover) allowing unauthenticated attackers to assume the identity of any registered platform tenant and project. - Unauthorized Data Access exposing cross-tenant interaction histories, metadata, and intelligent model configurations. - API Exhaustion / Billing Fraud where attackers can consume significant backend LLM tokens billed to impersonated victims.
来源	⚠️ https://github.com/inkeep/agents/issues/3024
用户	Eric-d (UID 96861)
提交	2026-04-23 11時18分 (1 月前)
管理	2026-05-11 15時36分 (18 days later)
状态	已接受
VulDB条目	362608 [inkeep agents 0.58.14 runAuth Middleware runAuth.ts createDevContext 弱身份验证]
积分	20

◂ 上一步一览下一步 ▸

Do you need the next level of professionalism?

Upgrade your account now!