提交 #856816: poco-ai poco-agent 0.5.4 Authorization Bypass Through User-Controlled Key (CWE-639)信息

标题poco-ai poco-agent 0.5.4 Authorization Bypass Through User-Controlled Key (CWE-639)
描述# Technical Details An unauthenticated task capability resolution bypass exists in the `create_task` method in `executor_manager/app/api/v1/tasks.py` of poco-agent. The executor-manager exposes `POST /api/v1/tasks` accepting caller-controlled `user_id` and nested capability selections (`skill_ids`, `plugin_ids`, `mcp_server_ids`). The request path trusts the nested `config.user_id` as the effective identity for backend capability resolution and resolves explicit capability IDs without applying visibility checks. By contrast, the preset creation path in `backend/app/services/preset_service.py` explicitly validates that requested IDs are visible to the user — showing the intended authorization invariant exists but is bypassed at task-time. # Vulnerable Code File: executor_manager/app/schemas/task.py Method: TaskConfig / TaskCreateRequest schema Why: Explicitly permits attacker-controlled `skill_ids`, `plugin_ids`, `mcp_server_ids`, and a nested `config.user_id`. File: executor_manager/app/services/config_resolver.py Method: Capability resolution (skill, plugin, MCP dispatch) Why: Forwards raw attacker-selected IDs to backend internal resolve APIs under the effective `user_id` without verifying visibility before backend resolution. File: backend/app/services/skill_config_service.py / plugin_config_service.py / mcp_config_service.py Method: resolve_explicit_ids Why: Materializes requested IDs directly with `get_by_id()` before any ownership or visibility validation, unlike the preset path which enforces visibility checks. # Reproduction 1. Create a hidden skill (e.g., ID 8) visible only to certain users, not the victim. 2. Send an unauthenticated POST to executor-manager /api/v1/tasks with top-level `user_id` set to attacker and nested `config.user_id` set to victim, plus `skill_ids=[8]`. 3. Observe the backend resolves `hidden-skill` for the victim context even though the victim cannot list it. 4. Confirm that sending the same hidden skill ID through the preset API path returns 400 "Invalid skill ids", proving the task-time path bypasses the guard. # Impact - Injection of non-visible skills, plugins, or MCP servers into another user's effective runtime context. - Breaks the product's capability isolation model. - Can expose internal-only tooling, privileged integrations, and side-effecting execution paths to unauthorized users.
来源⚠️ https://github.com/poco-ai/poco-claw/issues/140
用户
 Erichen (UID 98955)
提交2026-06-12 10時35分 (1 月前)
管理2026-07-17 07時44分 (1 month later)
状态重复
VulDB条目379757 [poco-ai poco-claw 直到 0.5.4 executor_manager API tasks.py create_task 弱身份验证]
积分0

Interested in the pricing of exploits?

See the underground prices here!