GHSA-HJWC-26PJ-V3PM
Vulnerability from github – Published: 2026-06-18 17:20 – Updated: 2026-06-18 17:20Summary
A low-privileged authenticated AgenticMail agent can enumerate another agent's pending/claimed tasks by supplying the target agent name to GET /api/agenticmail/tasks/pending?assignee=<name>. The returned task objects include the task IDs and payloads. The same task IDs can then be used with the capability-style task mutation endpoints (/tasks/:id/claim, /tasks/:id/result, /tasks/:id/complete, /tasks/:id/fail) to claim, complete, or fail tasks assigned to a different agent.
Because ordinary authenticated agents can discover agent names through GET /api/agenticmail/accounts/directory, the task ID effectively stops being a secret capability. This turns the intended capability model into a cross-agent authorization bypass.
Affected component
Package: @agenticmail/api
Observed version: 0.9.62
Repository: agenticmail/agenticmail
Relevant code paths:
packages/api/src/app.ts:createAuthMiddleware(...)is mounted beforecreateAccountRoutes(...)andcreateTaskRoutes(...), so these routes are reachable by any valid bearer token.packages/api/src/routes/accounts.ts:GET /accounts/directoryis available to any authenticated user and returns agent names.packages/api/src/routes/tasks.ts:GET /tasks/pending?assignee=nameresolves arbitrary agent names and returns that agent's pending/claimed tasks.packages/api/src/routes/tasks.ts:/tasks/:id/claim,/tasks/:id/result,/tasks/:id/complete,/tasks/:id/fail, and/tasks/:iddo not check whether the authenticated caller is the task assignee, assigner, or otherwise authorized for the task.
Impact
An attacker only needs a valid agent API key. They can:
- List agent names using
/accounts/directory. - Query another agent's task queue using
/tasks/pending?assignee=<victimName>. - Read sensitive task payloads intended for the victim agent.
- Use the disclosed task ID to complete/fail/claim the victim's task or submit attacker-controlled results.
Local reproduction
I reproduced this locally with a focused Vitest test mounted directly on createTaskRoutes. The test creates two agents, Alice and Bob, and one pending task assigned to Bob. Alice authenticates with her own agent key and performs the following sequence:
GET /api/agenticmail/tasks/pending?assignee=BobwithAuthorization: Bearer ak_alice.- The response is HTTP 200 and includes Bob's task ID and payload:
task-for-bob,{ "task": "secret task intended for Bob" }. - Alice then sends
POST /api/agenticmail/tasks/task-for-bob/completewith her own bearer token and an attacker-controlled result. - The task status becomes
completedand the stored result is controlled by Alice.
The local verification command was:
npm run test --workspace=@agenticmail/api -- task-routes-authz.test.ts
Result:
PASS src/__tests__/task-routes-authz.test.ts (1 test)
Expected behavior
Task listing and task mutation endpoints should enforce an authorization relationship between the authenticated caller and the task. For example:
GET /tasks/pending?assignee=<name>should either be restricted to the current agent, master/admin callers, or an explicit delegated relationship./tasks/:id/claim,/tasks/:id/result,/tasks/:id/complete,/tasks/:id/fail, and/tasks/:idshould verify that the caller is the assignee, assigner, master/admin, or otherwise explicitly authorized.- If capability-based task IDs are retained, the API should not expose those IDs to unrelated agents through the assignee-name listing path.
Credit
Please credit the finder as: Yaohui Wang
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@agenticmail/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.64"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T17:20:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nA low-privileged authenticated AgenticMail agent can enumerate another agent\u0027s pending/claimed tasks by supplying the target agent name to `GET /api/agenticmail/tasks/pending?assignee=\u003cname\u003e`. The returned task objects include the task IDs and payloads. The same task IDs can then be used with the capability-style task mutation endpoints (`/tasks/:id/claim`, `/tasks/:id/result`, `/tasks/:id/complete`, `/tasks/:id/fail`) to claim, complete, or fail tasks assigned to a different agent.\n\nBecause ordinary authenticated agents can discover agent names through `GET /api/agenticmail/accounts/directory`, the task ID effectively stops being a secret capability. This turns the intended capability model into a cross-agent authorization bypass.\n\n## Affected component\n\nPackage: `@agenticmail/api`\nObserved version: `0.9.62`\nRepository: `agenticmail/agenticmail`\n\nRelevant code paths:\n\n- `packages/api/src/app.ts`: `createAuthMiddleware(...)` is mounted before `createAccountRoutes(...)` and `createTaskRoutes(...)`, so these routes are reachable by any valid bearer token.\n- `packages/api/src/routes/accounts.ts`: `GET /accounts/directory` is available to any authenticated user and returns agent names.\n- `packages/api/src/routes/tasks.ts`: `GET /tasks/pending?assignee=name` resolves arbitrary agent names and returns that agent\u0027s pending/claimed tasks.\n- `packages/api/src/routes/tasks.ts`: `/tasks/:id/claim`, `/tasks/:id/result`, `/tasks/:id/complete`, `/tasks/:id/fail`, and `/tasks/:id` do not check whether the authenticated caller is the task assignee, assigner, or otherwise authorized for the task.\n\n## Impact\n\nAn attacker only needs a valid agent API key. They can:\n\n1. List agent names using `/accounts/directory`.\n2. Query another agent\u0027s task queue using `/tasks/pending?assignee=\u003cvictimName\u003e`.\n3. Read sensitive task payloads intended for the victim agent.\n4. Use the disclosed task ID to complete/fail/claim the victim\u0027s task or submit attacker-controlled results.\n\n## Local reproduction\n\nI reproduced this locally with a focused Vitest test mounted directly on `createTaskRoutes`. The test creates two agents, Alice and Bob, and one pending task assigned to Bob. Alice authenticates with her own agent key and performs the following sequence:\n\n1. `GET /api/agenticmail/tasks/pending?assignee=Bob` with `Authorization: Bearer ak_alice`.\n2. The response is HTTP 200 and includes Bob\u0027s task ID and payload: `task-for-bob`, `{ \"task\": \"secret task intended for Bob\" }`.\n3. Alice then sends `POST /api/agenticmail/tasks/task-for-bob/complete` with her own bearer token and an attacker-controlled result.\n4. The task status becomes `completed` and the stored result is controlled by Alice.\n\nThe local verification command was:\n\n```bash\nnpm run test --workspace=@agenticmail/api -- task-routes-authz.test.ts\n```\n\nResult:\n\n```text\nPASS src/__tests__/task-routes-authz.test.ts (1 test)\n```\n\n## Expected behavior\n\nTask listing and task mutation endpoints should enforce an authorization relationship between the authenticated caller and the task. For example:\n\n- `GET /tasks/pending?assignee=\u003cname\u003e` should either be restricted to the current agent, master/admin callers, or an explicit delegated relationship.\n- `/tasks/:id/claim`, `/tasks/:id/result`, `/tasks/:id/complete`, `/tasks/:id/fail`, and `/tasks/:id` should verify that the caller is the assignee, assigner, master/admin, or otherwise explicitly authorized.\n- If capability-based task IDs are retained, the API should not expose those IDs to unrelated agents through the assignee-name listing path.\n\n## Credit\n\nPlease credit the finder as: Yaohui Wang",
"id": "GHSA-hjwc-26pj-v3pm",
"modified": "2026-06-18T17:20:55Z",
"published": "2026-06-18T17:20:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/agenticmail/agenticmail/security/advisories/GHSA-hjwc-26pj-v3pm"
},
{
"type": "PACKAGE",
"url": "https://github.com/agenticmail/agenticmail"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AgenticMail: Cross-agent task authorization bypass in AgenticMail API"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.