Description
A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware. Performing a manipulation results in authentication bypass using alternate channel. The attack is possible to be carried out remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-11
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the createDevContext function of the runAuth middleware enables attackers to bypass authentication through an alternate channel. This results in unauthorized access to protected resources. The weakness is identified as CWE-287 and CWE-288, indicating an authentication bypass and authentication‑related error. The impact is loss of confidentiality and integrity for users authenticated through this channel.

Affected Systems

The vulnerability affects inkeep agents version 0.58.14. No other versions are listed as affected, and no additional vendors or products are identified. The software resides in the agents-api/src/middleware/runAuth.ts component of the inkeep agents project.

Risk and Exploitability

The CVSS score of 6.9 indicates a high severity and the EPSS score is not available, implying insufficient data on exploitation probability. The exploit is publicly available and can be carried out remotely, although the project has not provided a fix yet. Because it is listed in neither KEV nor any public exploit forums, widespread exploitation may still be limited, but the remote nature of the attack vector and authentication bypass pose significant risk.

Generated by OpenCVE AI on May 11, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a version of inkeep agents that contains the fix when it becomes available.
  • If a patch is not yet released, restrict network exposure by limiting access to the runAuth middleware endpoints and disabling or tightly controlling any alternate authentication channels.
  • Monitor authentication logs for abnormal activity and enforce least privilege principles on any alternate channel usage.

Generated by OpenCVE AI on May 11, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Inkeep
Inkeep agents
Vendors & Products Inkeep
Inkeep agents

Mon, 11 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware. Performing a manipulation results in authentication bypass using alternate channel. The attack is possible to be carried out remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title inkeep agents runAuth Middleware runAuth.ts createDevContext authentication bypass
Weaknesses CWE-287
CWE-288
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Inkeep Agents
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-11T19:45:08.634Z

Reserved: 2026-05-11T13:36:22.325Z

Link: CVE-2026-8321

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T20:25:48.547

Modified: 2026-05-11T20:25:48.547

Link: CVE-2026-8321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:23Z

Weaknesses