CVE-2026-30968
Received Received - Intake
Insufficient Validation in Coral Server SSE Allows Unauthorized Access

Publication date: 2026-03-10

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint (/sse/v1/...) in Coral Server did not strongly validate that a connecting agent was a legitimate participant in the session. This could theoretically allow unauthorized message injection or observation. This vulnerability is fixed in 1.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30968
EUVD
EUVD-2026-10706
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
coralos coral_server to 1.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30968 is a vulnerability in the Coral Server's Server-Sent Events (SSE) endpoint (/sse/v1/...) present in versions 1.0 and earlier. The SSE endpoint did not strongly validate whether a connecting agent was a legitimate participant in the session. This insufficient validation could allow unauthorized agents to inject messages into the session or observe session messages without permission."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 1.1.0 by requiring a valid agent secret tied to the session for SSE channel connections, enforcing strong validation of agent identity.'}] [2]

Impact Analysis

This vulnerability can impact you by allowing unauthorized agents to inject messages into a Coral Server session or observe messages within the session without authorization. This could lead to unauthorized data exposure or manipulation of session communications.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Coral Server to version 1.1.0 or later, where the SSE endpoint enforces strong validation of agent identity by requiring a valid agent secret tied to the session.

This update fixes the insufficient validation issue that allowed unauthorized message injection or observation by ensuring only legitimate participants can connect to the SSE endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30968. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart