Intel

AIKIDO-2026-63881

@openai/agents-openai is vulnerable to Improper Authorization

Improper Authorization Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 1, 2026

59

Medium Risk

This Affects:

JS@openai/agents-openai
0.0.7 - 0.10.0
Fixed in 0.10.1
Are you affected? Scan for Free

TL;DR

The Responses model conversion maps the hosted MCP require_approval policy without validating it before sending it to the API. An undefined or malformed policy and overlapping always/never tool lists are propagated as-is, and undefined is treated as never requiring approval. This can silently disable the intended human-in-the-loop approval gate so hosted MCP tool calls execute without approval. The fix routes the policy through a shared validator that normalizes it and rejects invalid configurations.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and configure hosted MCP tools with require_approval approval policies.

Background info

@openai/agents-openai is vulnerable to Improper Authorization in versions 0.0.7 - 0.10.0.

How to fix this

Upgrade the @openai/agents-openai library to the patch version.