Intel

AIKIDO-2026-996474

@openai/agents-realtime is vulnerable to Improper Authorization

Improper Authorization Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 1, 2026

59

Medium Risk

This Affects:

JS@openai/agents-realtime
0.1.0 - 0.10.0
Fixed in 0.10.1
Are you affected? Scan for Free

TL;DR

The realtime tool conversion forwards the hosted MCP require_approval policy to the realtime session without validating its shape. Malformed policies, unknown keys, and tools listed in both always and never are passed through unchanged. This can silently weaken or disable the human-in-the-loop approval gate so hosted MCP tool calls run without the intended approval during realtime sessions. The fix normalizes the policy through a shared validator, rejects invalid configurations, and omits it when undefined.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and configure hosted MCP tools with require_approval approval policies.

Background info

@openai/agents-realtime is vulnerable to Improper Authorization in versions 0.1.0 - 0.10.0.

How to fix this

Upgrade the @openai/agents-realtime library to the patch version.