Lucene search
K

5 matches found

NVD
NVD
added 2026/02/03 12:16 p.m.17 views

CVE-2026-1664

Summary An Insecure Direct Object Reference has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation or origin...

6.9CVSS0.00366EPSS
Exploits0References1
OSV
OSV
added 2026/02/03 12:16 p.m.3 views

CVE-2026-1664

Summary An Insecure Direct Object Reference has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation or origin...

6.9CVSS5.9AI score0.00366EPSS
Exploits0References1
CVE
CVE
added 2026/02/03 11:39 a.m.23 views

CVE-2026-1664

Summary: CVE-2026-1664 affects Cloudflare Agents SDK prior to 0.3.7, due to an IDOR in header-based email routing. Root cause: createHeaderBasedEmailResolver() parses Message-ID and References to derive target agentName/agentId without cryptographic/origin verification, letting external headers s...

6.9CVSS5.5AI score0.00366EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/03 11:39 a.m.30 views

CVE-2026-1664 Insecure Direct Object Reference (IDOR) via Header-Based Email Routing

Summary An Insecure Direct Object Reference has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation or origin...

6.9CVSS0.00366EPSS
Exploits0References1
Hacker One
Hacker One
added 2025/11/13 10:29 p.m.16 views

Cloudflare Public Bug Bounty: AI Playground XSS to steal user-chat messages and access to connected MCP Server

A reflected XSS vulnerability was discovered in the AI Playground OAuth handler due to unescaped interpolation of the errordescription parameter into a script tag. The issue has been patched, and users of the open-source Agents SDK should upgrade to v0.3.10...

5.5AI score
Exploits0
Rows per page
Query Builder