CVE-2026-59726
Received Received - Intake

Ruflo Docker-Compose MCP Bridge Unauthenticated Remote Code Execution

Vulnerability report for CVE-2026-59726, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Ruflo is an agent meta-harness for Claude Code and Codex. Prior to 3.16.3, ruflo's default docker-compose deployment exposed the MCP bridge POST /mcp and POST /mcp/:group endpoints without authentication, allowing an unauthenticated network attacker to invoke tools/call to terminal_execute, obtain a shell in the bridge container, read provider API keys, and poison AgentDB learning-store patterns. This issue is fixed in version 3.16.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ruvnet ruflo 3.16.3
ruflo ruflo 3.16.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-59726 allows unauthenticated remote attackers to execute arbitrary code, gain shell access, and read sensitive provider API keys. This leads to a full compromise of confidentiality, integrity, and availability of the system.

Such a vulnerability can severely impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data, strict access controls, and prevention of unauthorized data disclosure or manipulation.

Specifically, the exposure of API keys and the ability to poison learning-store patterns could lead to unauthorized data access and manipulation, violating data protection and integrity requirements mandated by these regulations.

Organizations using affected versions must remediate immediately to avoid potential regulatory penalties and data breaches.

Executive Summary

CVE-2026-59726 is a critical security vulnerability in the ruflo project's MCP bridge component. The vulnerability arises because the MCP bridge exposes the POST /mcp and POST /mcp/:group endpoints without any authentication and binds to all network interfaces by default in its docker-compose deployment.

This lack of authentication allows an unauthenticated network attacker to remotely execute arbitrary code (Remote Code Execution - RCE) by invoking the terminal_execute tool within the bridge container. Exploiting this flaw, an attacker can gain shell access inside the container, read sensitive provider API keys from the environment, deploy malicious swarms using the victim's keys, and poison the AgentDB learning-store patterns to manipulate future AI outputs.

The vulnerability was fixed in version 3.16.3 by implementing multiple security hardening measures including binding services to the loopback interface by default, requiring authentication tokens for public exposure, enforcing server-side gating of terminal execution, enabling MongoDB authentication, and applying read-only filesystem restrictions.

Impact Analysis

This vulnerability can have severe impacts including full system compromise. An attacker exploiting this flaw can gain unauthorized shell access to the MCP bridge container.

  • Read all provider API keys from the container environment, potentially exposing sensitive credentials.
  • Deploy malicious swarms or actions using the victim's API keys, leading to unauthorized operations or data manipulation.
  • Poison the AgentDB learning store by injecting malicious patterns, which can manipulate or degrade the behavior of AI agents relying on this data.
  • Compromise the MongoDB database, potentially leading to data tampering or loss.

Overall, the vulnerability impacts confidentiality, integrity, and availability of the system, making it a critical risk.

Detection Guidance

This vulnerability can be detected by checking if the MCP bridge service is exposed on network interfaces other than the loopback (127.0.0.1) and if the POST /mcp and POST /mcp/:group endpoints are accessible without authentication.

You can use network scanning tools or commands to detect open ports and exposed services, for example:

  • Use netstat or ss to check if the MCP bridge (default port 3001) is bound to all interfaces: `netstat -tuln | grep 3001` or `ss -tuln | grep 3001`.
  • Use curl or similar HTTP client to test if the POST /mcp endpoint is accessible without authentication: `curl -X POST http://<host>:3001/mcp -d '{}' -v`.
  • Scan your network for open ports 3001 (MCP bridge) and 27017 (MongoDB) using nmap: `nmap -p 3001,27017 <host>`.

If these services are exposed publicly and respond without authentication, your system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include restricting network exposure and applying security controls as outlined in the fix for version 3.16.3.

  • Firewall or block external access to ports 3001 (MCP bridge) and 27017 (MongoDB) to prevent unauthorized network access.
  • Upgrade ruflo to version 3.16.3 or later, which includes the fix that binds services to the loopback interface by default and requires authentication for public exposure.
  • Rotate all provider API keys immediately to prevent misuse from any previously compromised keys.
  • Audit the AgentDB learning store for any injected poisoned patterns and clean them if found.
  • Enable and enforce MongoDB authentication with strong passwords, as required by the fixed version.
  • Configure MCP_AUTH_TOKEN for authentication if public exposure of the MCP bridge is necessary.
  • Ensure the MCP bridge container filesystem is set to read-only to limit potential damage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59726. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart