Local Web API Content-Type Validation Bypass in AgentFlow by Berabuddies
CVE-2026-7439

4.8MEDIUM

Key Information:

Vendor

Berabuddies

Status
Agentflow
Vendor
CVE Published:
29 April 2026

What is CVE-2026-7439?

The vulnerability in AgentFlow's local web API arises from inadequate validation of content types on specific endpoints, namely POST /api/runs and POST /api/runs/validate. This oversight allows malicious actors to submit non-JSON content types, circumventing critical trust-boundary enforcement during sensitive operations. Exploiting this weakness, attackers can leverage browser-driven or local cross-origin requests to manipulate the localhost API, potentially leading to broader exploitation scenarios against the local control plane. Mitigation includes applying the latest patches provided by Berabuddies to secure the affected endpoints.

Affected Version(s)

AgentFlow 0 < 1667fa3

References

https://github.com/berabuddies/agentflow/pull/18
https://github.com/berabuddies/agentflow/commit/1667fa3
patch
https://www.vulncheck.com/advisories/agentflow-local-web-...
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
.