Description
Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint (/sse/v1/...) in Coral Server did not strongly validate that a connecting agent was a legitimate participant in the session. This could theoretically allow unauthorized message injection or observation. This vulnerability is fixed in 1.1.0.
Published: 2026-03-10
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized message injection or observation.
Action: Immediate patch
AI Analysis

Impact

Coral Server’s SSE endpoint (/sse/v1/...) lacks sufficient validation of an agent’s identity, allowing an unauthorized party to potentially inject messages into or observe data streams that belong to legitimate sessions. This weakness is a classic case of missing access control (CWE‑862) and could compromise the confidentiality and integrity of communication between agents. The vulnerability is theoretical but could be exploited to tamper with or eavesdrop on collaboration data, payments, or trust exchanges handled by the server.

Affected Systems

The issue exists in all Coral‑Protocol Coral Server releases before version 1.1.0. Only the SSE path is affected, and the fix is included starting with Coral Server 1.1.0. The vulnerability affects deployments of the Coral Server component of the Coral Protocol open collaboration infrastructure.

Risk and Exploitability

The CVSS score of 8.6 places the flaw in the high‑severity range. However, the EPSS score of less than 1% suggests the likelihood of exploitation is currently low, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to establish a session over the SSE endpoint without sufficient identity verification; the vulnerability can be triggered without any privileged knowledge beyond the endpoint’s existence and the ability to connect as an agent. Consequently, the threat is moderate to high, warranting timely remediation but not immediate emergency response.

Generated by OpenCVE AI on April 16, 2026 at 09:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Coral Server to version 1.1.0 or newer.
  • If an update is not possible, restrict access to the /sse/v1/ endpoint using firewalls or network segmentation so only trusted agents can reach it.
  • Enforce strict identity verification for agents before allowing SSE connections, such as validating tokens or certificates to mitigate the missing access control flaw.

Generated by OpenCVE AI on April 16, 2026 at 09:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Coralos
Coralos coral Server
CPEs cpe:2.3:a:coralos:coral_server:*:*:*:*:*:*:*:*
Vendors & Products Coralos
Coralos coral Server
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Coral-protocol
Coral-protocol coral-server
Vendors & Products Coral-protocol
Coral-protocol coral-server

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint (/sse/v1/...) in Coral Server did not strongly validate that a connecting agent was a legitimate participant in the session. This could theoretically allow unauthorized message injection or observation. This vulnerability is fixed in 1.1.0.
Title Coral Server has insufficient validation of agent identity for SSE connections
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Coral-protocol Coral-server
Coralos Coral Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T17:40:58.576Z

Reserved: 2026-03-07T17:53:48.815Z

Link: CVE-2026-30968

cve-icon Vulnrichment

Updated: 2026-03-10T17:40:53.048Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:55.593

Modified: 2026-03-13T19:49:13.237

Link: CVE-2026-30968

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses