Intel

AIKIDO-2026-571058

@openai/agents-core is vulnerable to Improper Authorization

Improper Authorization Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 1, 2026

59

Medium Risk

This Affects:

JS@openai/agents-core
0.0.7 - 0.10.0
Fixed in 0.10.1
Are you affected? Scan for Free

TL;DR

The hostedMcpTool helper and tool-search loading in the core package build the hosted MCP require_approval policy without validating its shape. Unsupported policy strings, unknown object keys, malformed toolNames filters, and tools listed in both always and never are accepted and passed through unchanged. A malformed or contradictory approval policy can silently weaken or disable the human-in-the-loop approval gate so hosted MCP tool calls run without the intended approval. The fix adds a shared validator that normalizes the policy and rejects invalid or overlapping configurations.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and configure hosted MCP tools with require_approval approval policies.

Background info

@openai/agents-core is vulnerable to Improper Authorization in versions 0.0.7 - 0.10.0.

How to fix this

Upgrade the @openai/agents-core and/or the @openai/agents library to the patch version.