Intel

AIKIDO-2026-152028

@openai/agents-core is vulnerable to Improper Authorization

Improper Authorization Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 26, 2026

59

Medium Risk

This Affects:

JS@openai/agents-core
0.0.1 - 0.11.8
Fixed in 0.12.0
Are you affected? Scan for Free

TL;DR

The runner's function tool approval flow evaluates a tool's needsApproval callback before honoring an approval decision that is already recorded for that tool call. When needsApproval is dynamic and re-evaluates to a non-approval-required result after a human-in-the-loop pause and resume, a tool call the user previously rejected can still execute because the stored rejection is never consulted. This affects gated operations including shell, apply patch, computer use, and custom function tools. The fix checks the recorded approval or rejection first and only invokes needsApproval when no decision exists.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and rely on human-in-the-loop tool approvals.

Background info

@openai/agents-core is vulnerable to Improper Authorization in versions 0.0.1 - 0.11.8.

How to fix this

Upgrade the @openai/agents-core library to the patch version.