Intel

AIKIDO-2026-69310

openhands-agent-server is vulnerable to Authentication Bypass

Authentication Bypass Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 25, 2026

65

Medium Risk

This Affects:

PYTHONopenhands-agent-server
1.29.0 - 1.29.0
Fixed in 1.29.2
Are you affected? Scan for Free

TL;DR

The agent server attaches its session API key auth dependencies to the /api/*, OpenAI-compatible, and workspace static routes only when config.session_api_keys is already populated at route-registration time. In deferred-init (warm-pool) deployments the server boots dormant with no session keys and receives them later via POST /api/init, so the key check is never attached to those routes. After POST /api/init lifts the dormant gate, the API serves conversation, file, and command endpoints without enforcing any session API key, exposing them to unauthenticated callers that can reach the pod. The fix replaces the route-time factory dependencies with dependencies that read the current config from request.app.state at request time so keys delivered via /api/init are enforced immediately.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and the agent server is deployed in deferred-init (warm-pool) mode where session API keys are delivered at runtime via POST /api/init.

Background info

openhands-agent-server is vulnerable to Authentication Bypass in versions 1.29.0 - 1.29.0.

How to fix this

Upgrade the openhands-agent-server library to the patch version.