Unauthenticated Access in Ruflo Agent Meta-Harness
CVE-2026-59726

10CRITICAL

Key Information:

Vendor

Ruvnet

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59726?

The Ruflo Agent Meta-Harness prior to version 3.16.3 had a critical security flaw wherein its default Docker deployment exposed the MCP bridge POST /mcp and POST /mcp/:group endpoints without any authentication. This oversight potentially allowed an unauthenticated attacker to execute commands, gaining unauthorized access to critical functionalities such as tools/call to terminal_execute. This could lead to obtaining sensitive information like provider API keys and manipulating AgentDB learning-store patterns. Users are advised to upgrade to version 3.16.3 or later to mitigate this risk.

Affected Version(s)

ruflo < 3.16.3

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.