CVE-2026-1664
IDOR in Cloudflare Agents SDK Email Routing Enables Mail Hijacking
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Cloudflare, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cloudflare | agents | 0.3.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) found in the createHeaderBasedEmailResolver() function within the Cloudflare Agents SDK. It occurs because the Message-ID and References email headers are parsed without proper validation or origin checks, allowing an attacker who controls these headers to route inbound mail to arbitrary Durable Object instances and namespaces. Essentially, external input can dictate internal routing due to lack of cryptographic verification or origin validation.
How can this vulnerability impact me? :
The vulnerability allows an attacker to manipulate inbound email routing by spoofing the Message-ID and References headers. This lets the attacker steer inbound mail to arbitrary Agent instances, potentially causing unauthorized access or manipulation of mail processing within the Cloudflare Agents environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade to [email protected] and refactor the resolver to enforce strict identity boundaries as described in the architectural context provided in the Cloudflare Agents SDK documentation at https://github.com/cloudflare/agents/blob/main/docs/email.md. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the manipulation of the Message-ID and References headers to route inbound mail to arbitrary Durable Object instances without proper validation. Detection would involve monitoring and inspecting inbound email headers for suspicious or unexpected Message-ID and References values that could indicate an attempt to exploit this Insecure Direct Object Reference.'}, {'type': 'paragraph', 'content': "Since the vulnerability is specific to the Cloudflare Agents SDK's email routing logic, detection commands would focus on capturing and analyzing email headers at the network or application level."}, {'type': 'list_item', 'content': 'Use packet capture tools like tcpdump or Wireshark to capture SMTP traffic and inspect Message-ID and References headers for anomalies.'}, {'type': 'list_item', 'content': 'Example tcpdump command to capture SMTP traffic on port 25: sudo tcpdump -i any port 25 -w smtp_traffic.pcap'}, {'type': 'list_item', 'content': 'Use grep or similar tools to search logs or captured data for unusual or unexpected Message-ID or References header values.'}, {'type': 'list_item', 'content': 'Review application logs for inbound mail routing events that reference unexpected agentName or agentId values derived from these headers.'}, {'type': 'paragraph', 'content': 'Ultimately, upgrading to [email protected] and refactoring the resolver as per the mitigation guidance is recommended to prevent exploitation.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know