CVE-2026-7439
Received Received - Intake
AgentFlow Local Web API Content-Type Validation Bypass

Publication date: 2026-04-29

Last updated on: 2026-04-29

Assigner: VulnCheck

Description
AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this content-type validation weakness through browser-driven or local cross-origin requests to abuse the localhost API and enable attack chains against the local control plane.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7439
EUVD
EUVD-2026-26278
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
berabuddies agentflow to 1667fa3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

AgentFlow's local web API does not enforce that POST requests to the /api/runs and /api/runs/validate endpoints use the application/json content type. This means it accepts other content types without proper validation.

Because of this, attackers can bypass trust-boundary enforcement on sensitive operations by exploiting this weakness in content-type validation.

Attackers can use browser-driven or local cross-origin requests to abuse the localhost API, potentially enabling attack chains against the local control plane.

Impact Analysis

This vulnerability allows attackers to bypass security controls on sensitive operations by exploiting the lack of content-type validation.

As a result, attackers can perform unauthorized actions on the local control plane through the localhost API.

This can lead to potential compromise or manipulation of local system operations that rely on the AgentFlow API.

Executive Summary

CVE-2026-7439 is a security vulnerability in AgentFlow's local web API where certain endpoints (/api/runs and /api/runs/validate) accept POST requests with non-JSON content types without enforcing application/json validation.

This lack of content-type validation allows attackers to bypass trust-boundary enforcement on sensitive operations by sending specially crafted requests through browser-driven or local cross-origin requests.

Additionally, the API accepted a 'pipeline_path' parameter that allowed loading and executing local Python pipeline files, which could be exploited to execute arbitrary local pipeline files via the browser-facing control plane.

The vulnerability enables abuse of the localhost API and facilitates attack chains against the local control plane.

Impact Analysis

This vulnerability can allow attackers to bypass security boundaries and execute arbitrary local pipeline files on the affected system.

By exploiting the content-type validation weakness and the 'pipeline_path' parameter, attackers can abuse the localhost API to perform unauthorized operations, potentially leading to local control plane compromise.

Such unauthorized access and execution can lead to further attack chains, increasing the risk of system manipulation or data compromise.

The vulnerability has a medium severity CVSS score of 4.8, indicating a moderate impact if exploited.

Detection Guidance

This vulnerability can be detected by checking if the AgentFlow local web API endpoints /api/runs and /api/runs/validate accept POST requests with non-JSON content types without rejecting them.

You can test this by sending POST requests to these endpoints with content types other than application/json and observing if the server accepts them or returns an HTTP 415 Unsupported Media Type error.

For example, using curl commands:

  • curl -X POST http://localhost:port/api/runs -H "Content-Type: text/plain" -d 'test data' -v
  • curl -X POST http://localhost:port/api/runs/validate -H "Content-Type: text/plain" -d 'test data' -v

If the server accepts these requests without returning a 415 error, it indicates the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include applying the patch that enforces strict content-type validation on the affected endpoints.

  • Ensure the AgentFlow web API only accepts requests with the application/json content type on POST /api/runs and POST /api/runs/validate endpoints, rejecting others with HTTP 415 errors.
  • Disable the use of the pipeline_path parameter by default to prevent execution of arbitrary local pipeline files.
  • Restrict the AgentFlow server to bind only to localhost (127.0.0.1) to limit exposure.
  • If pipeline_path functionality is required, explicitly enable it by setting the environment variable AGENTFLOW_API_ALLOW_PIPELINE_PATH=1, but only in trusted environments.

These steps restore the intended trust boundary and prevent abuse of the local control plane.

Compliance Impact

The vulnerability in AgentFlow's local web API allows attackers to bypass trust-boundary enforcement on sensitive operations by exploiting a content-type validation weakness. This could enable unauthorized access or manipulation of local control plane operations.

Such unauthorized access and potential abuse of sensitive operations could lead to violations of data protection and security requirements mandated by common standards and regulations like GDPR and HIPAA, which require strict control over access to sensitive data and systems.

However, the provided information does not explicitly detail the direct impact on compliance with these standards or any specific regulatory consequences.

Detection Guidance

This vulnerability can be detected by checking if the AgentFlow local web API endpoints /api/runs and /api/runs/validate accept POST requests with non-JSON content types without rejecting them.

You can test this by sending POST requests to these endpoints with content types other than application/json and observe if the server accepts them or returns an HTTP 415 Unsupported Media Type error.

For example, using curl commands:

  • curl -X POST http://localhost:port/api/runs -H "Content-Type: text/plain" -d 'test data' -v
  • curl -X POST http://localhost:port/api/runs/validate -H "Content-Type: text/plain" -d 'test data' -v

If the server accepts these requests without returning a 415 error, it indicates the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include updating AgentFlow to the patched version that enforces strict content-type validation and disables the pipeline_path parameter by default.

  • Ensure the AgentFlow web API binds only to localhost (127.0.0.1) to restrict access to the local machine.
  • Verify that the /api/runs and /api/runs/validate endpoints reject non-application/json content types with HTTP 415 errors.
  • Confirm that the pipeline_path parameter is disabled by default to prevent arbitrary local pipeline execution.
  • Avoid setting the environment variable AGENTFLOW_API_ALLOW_PIPELINE_PATH=1 unless you explicitly trust the local environment and require this functionality.

Applying these steps will restore the intended trust boundary and reduce the risk of exploitation through this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7439. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart