Intel

AIKIDO-2026-866750

ruflo is vulnerable to Remote Code Execution

Remote Code ExecutionCVE-2026-59726 Published 3 days ago

100

Critical Risk

This Affects:

JSruflo
0.0.1 - 3.16.2
Fixed in 3.16.3
Are you affected? Scan for Free

TL;DR

The MCP bridge in ruflo exposes the POST /mcp and POST /mcp/:group endpoints without authentication, and the shipped docker-compose defaults bind the bridge and MongoDB to all network interfaces. An unauthenticated network attacker can call tools/call to reach terminal_execute and run arbitrary OS commands inside the bridge container, gaining a shell, reading provider API keys from the environment, and poisoning the AgentDB learning store. The terminal_execute blocklist is enforced only in the autopilot flow, so the primary MCP request paths bypass it. The fix binds the bridge to loopback by default, adds bearer-token authentication with constant-time comparison, and gates terminal_execute behind an explicit opt-in.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you deploy the MCP bridge (for example via the default docker-compose configuration).

Background info

ruflo is vulnerable to Remote Code Execution in versions 0.0.1 - 3.16.2.

How to fix this

Upgrade the ruflo library to the patch version.