CVE-2026-8321
Received Received - Intake
Authentication Bypass in Inkeep Agents via runAuth Middleware

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: VulDB

Description
A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware. Performing a manipulation results in authentication bypass using alternate channel. The attack is possible to be carried out remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-8321
EUVD
EUVD-2026-29212
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
inkeep agents 0.58.14
inkeep agents to 0.58.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authentication bypass in development or test modes, enabling unauthorized attackers to impersonate any tenant, project, or agent by injecting malicious headers. This leads to unauthorized data access, privilege escalation, and potential tenant takeover.

Such unauthorized access and data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Therefore, exploitation of this vulnerability could lead to violations of data protection requirements, exposing organizations to legal and regulatory risks.

Executive Summary

CVE-2026-8321 is an authentication bypass vulnerability in the runAuth middleware of the @inkeep/agents-api package, affecting versions up to 0.58.14.

The flaw occurs when the application runs in development or test mode, where the middleware bypasses strict API key validation.

Attackers can inject malicious HTTP headers (x-inkeep-tenant-id, x-inkeep-project-id, and x-inkeep-agent-id) that the createDevContext function blindly trusts, allowing them to impersonate any tenant, project, or agent.

This leads to unauthorized access and control, effectively enabling complete tenant takeover.

Impact Analysis

The vulnerability allows attackers to bypass authentication and impersonate any tenant, project, or agent.

  • Unauthorized data access
  • Privilege escalation
  • Potential API exhaustion
  • Billing fraud
Detection Guidance

This vulnerability can be detected by monitoring HTTP requests for suspicious usage of the `x-inkeep-tenant-id`, `x-inkeep-project-id`, and `x-inkeep-agent-id` headers, especially when the application is running in development or test mode (ENVIRONMENT=development or ENVIRONMENT=test). These headers should not be trusted as they can be used to bypass authentication.

A practical detection method is to capture and inspect incoming HTTP requests to the runAuth middleware for these headers. For example, using command-line tools like curl or tcpdump to monitor traffic or logs for these headers can help identify exploitation attempts.

  • Use curl to send a request with suspicious headers and observe if authentication is bypassed: curl -H "x-inkeep-tenant-id: malicious" -H "x-inkeep-project-id: malicious" -H "x-inkeep-agent-id: malicious" http://your-inkeep-agent-endpoint
  • Use tcpdump or Wireshark to capture HTTP traffic and filter for the `x-inkeep-*` headers to detect unauthorized header injection.
  • Check application logs for unexpected tenant, project, or agent identifiers that do not match legitimate values.
Mitigation Strategies

Immediate mitigation steps include upgrading the inkeep agents package to a version later than 0.58.14 where the vulnerability is patched.

If upgrading is not immediately possible, ensure that the application is not running in development or test mode in production environments, as the vulnerability is exploitable only in these modes.

Additionally, implement strict validation and sanitization of the `x-inkeep-*` HTTP headers in the runAuth middleware to prevent unauthorized header injection.

Monitor and restrict access to the API endpoints to trusted networks or authenticated users to reduce the attack surface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8321. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart