CVE-2026-8321
Authentication Bypass in Inkeep Agents via runAuth Middleware
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inkeep | agents | 0.58.14 |
| inkeep | agents | to 0.58.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8321 is an authentication bypass vulnerability in the runAuth middleware of the @inkeep/agents-api package, affecting versions up to 0.58.14.
The flaw occurs when the application runs in development or test mode, where the middleware bypasses strict API key validation.
Attackers can inject malicious HTTP headers (x-inkeep-tenant-id, x-inkeep-project-id, and x-inkeep-agent-id) that the createDevContext function blindly trusts, allowing them to impersonate any tenant, project, or agent.
This leads to unauthorized access and control, effectively enabling complete tenant takeover.
How can this vulnerability impact me? :
The vulnerability allows attackers to bypass authentication and impersonate any tenant, project, or agent.
- Unauthorized data access
- Privilege escalation
- Potential API exhaustion
- Billing fraud
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests for suspicious usage of the `x-inkeep-tenant-id`, `x-inkeep-project-id`, and `x-inkeep-agent-id` headers, especially when the application is running in development or test mode (ENVIRONMENT=development or ENVIRONMENT=test). These headers should not be trusted as they can be used to bypass authentication.
A practical detection method is to capture and inspect incoming HTTP requests to the runAuth middleware for these headers. For example, using command-line tools like curl or tcpdump to monitor traffic or logs for these headers can help identify exploitation attempts.
- Use curl to send a request with suspicious headers and observe if authentication is bypassed: curl -H "x-inkeep-tenant-id: malicious" -H "x-inkeep-project-id: malicious" -H "x-inkeep-agent-id: malicious" http://your-inkeep-agent-endpoint
- Use tcpdump or Wireshark to capture HTTP traffic and filter for the `x-inkeep-*` headers to detect unauthorized header injection.
- Check application logs for unexpected tenant, project, or agent identifiers that do not match legitimate values.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the inkeep agents package to a version later than 0.58.14 where the vulnerability is patched.
If upgrading is not immediately possible, ensure that the application is not running in development or test mode in production environments, as the vulnerability is exploitable only in these modes.
Additionally, implement strict validation and sanitization of the `x-inkeep-*` HTTP headers in the runAuth middleware to prevent unauthorized header injection.
Monitor and restrict access to the API endpoints to trusted networks or authenticated users to reduce the attack surface.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authentication bypass in development or test modes, enabling unauthorized attackers to impersonate any tenant, project, or agent by injecting malicious headers. This leads to unauthorized data access, privilege escalation, and potential tenant takeover.
Such unauthorized access and data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.
Therefore, exploitation of this vulnerability could lead to violations of data protection requirements, exposing organizations to legal and regulatory risks.