CVE-2026-30970
Unauthorized Resource Exhaustion via Session Creation in Coral Server
Publication date: 2026-03-10
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coralos | coral_server | to 1.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30970 is a session authentication bypass vulnerability in Coral Server versions 1.0.1 and earlier. It affects the /api/v1/sessions endpoint, which allowed creation of agent sessions without strong authentication.
This endpoint performs resource-intensive operations such as container spawning and memory context creation. Because of the lack of proper authentication, an attacker could create sessions or consume system resources without authorization.
The vulnerability was fixed in Coral Server version 1.1.0 by requiring authenticated access to this endpoint.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to create unauthorized sessions or consume system resources without permission.
Because the endpoint performs resource-intensive operations, an attacker could exhaust system resources, potentially causing denial of service (DoS) conditions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring access to the /api/v1/sessions endpoint on Coral Server versions 1.0.1 and earlier. Since the endpoint allows unauthenticated session creation, unusual or unauthorized requests to this endpoint may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web server logs to identify requests to /api/v1/sessions without proper authentication.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using curl to test if the endpoint allows session creation without authentication: curl -X POST http://<server_address>/api/v1/sessions'}, {'type': 'list_item', 'content': 'Using grep to search web server logs for unauthenticated POST requests to the endpoint: grep "/api/v1/sessions" /var/log/nginx/access.log | grep POST'}, {'type': 'list_item', 'content': 'Using network monitoring tools like tcpdump or Wireshark to capture traffic targeting the /api/v1/sessions endpoint.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Coral Server to version 1.1.0 or later, where the vulnerability is fixed by requiring authenticated access to the /api/v1/sessions endpoint.
If upgrading immediately is not possible, restrict access to the /api/v1/sessions endpoint by implementing network-level controls such as firewall rules or API gateway restrictions to limit access only to authorized users or systems.
Additionally, monitor system resource usage to detect and respond to any unusual consumption that may indicate exploitation attempts.