Description
Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server allowed the creation of agent sessions through the /api/v1/sessions endpoint without strong authentication. This endpoint performs resource-intensive initialization operations including container spawning and memory context creation. An attacker capable of accessing the endpoint could create sessions or consume system resources without proper authorization. This vulnerability is fixed in 1.1.0.
Published: 2026-03-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized session creation and resource exhaustion
Action: Patch
AI Analysis

Impact

Coral Server allowed creation of agent sessions through the /api/v1/sessions endpoint without requiring authentication, letting an attacker initiate resource‑intensive initialization operations such as container spawning and memory context creation. This bypass enables the attacker to create sessions or exhaust system resources, effectively facilitating denial‑of‑service or unauthorized usage. The weakness corresponds to Improper Authorization.

Affected Systems

The vendor Coral‑Protocol’s Coral Server product is affected. All releases before version 1.1.0 are vulnerable; the issue is fixed in 1.1.0 and later.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8 and an EPSS score of less than 1 %, indicating a high severity but currently low exploitation probability. Because the endpoint accepts requests without authentication, the attack vector is likely remote network access to the server’s API. Although not listed in the CISA KEV catalog, the omission does not reduce the risk; operators should treat the flaw as a serious threat to resource availability.

Generated by OpenCVE AI on April 16, 2026 at 03:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Coral Server 1.1.0 or newer immediately.
  • Until the upgrade can be performed, block or restrict access to the /api/v1/sessions endpoint using firewalls, reverse‑proxy authentication, or network segmentation.
  • Implement rate limiting or quotas on the session creation endpoint to mitigate resource consumption abuse.

Generated by OpenCVE AI on April 16, 2026 at 03:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Coralos
Coralos coral Server
CPEs cpe:2.3:a:coralos:coral_server:*:*:*:*:*:*:*:*
Vendors & Products Coralos
Coralos coral Server
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Coral-protocol
Coral-protocol coral-server
Vendors & Products Coral-protocol
Coral-protocol coral-server

Tue, 10 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server allowed the creation of agent sessions through the /api/v1/sessions endpoint without strong authentication. This endpoint performs resource-intensive initialization operations including container spawning and memory context creation. An attacker capable of accessing the endpoint could create sessions or consume system resources without proper authorization. This vulnerability is fixed in 1.1.0.
Title Session authentication bypass in Coral Server session creation endpoint
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Coral-protocol Coral-server
Coralos Coral Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T14:26:11.332Z

Reserved: 2026-03-07T17:53:48.815Z

Link: CVE-2026-30970

cve-icon Vulnrichment

Updated: 2026-03-12T14:26:07.363Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:55.913

Modified: 2026-03-13T19:54:30.730

Link: CVE-2026-30970

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:00:09Z

Weaknesses