Unauthenticated Access in Ruflo Agent Meta-Harness
CVE-2026-59726
10CRITICAL
What is CVE-2026-59726?
The Ruflo Agent Meta-Harness prior to version 3.16.3 had a critical security flaw wherein its default Docker deployment exposed the MCP bridge POST /mcp and POST /mcp/:group endpoints without any authentication. This oversight potentially allowed an unauthenticated attacker to execute commands, gaining unauthorized access to critical functionalities such as tools/call to terminal_execute. This could lead to obtaining sensitive information like provider API keys and manipulating AgentDB learning-store patterns. Users are advised to upgrade to version 3.16.3 or later to mitigate this risk.
Affected Version(s)
ruflo < 3.16.3
