AgentFlow Local Web API Content-Type Validation Bypass

Advisories

AgentFlow Local Web API Content-Type Validation Bypass

severity: medium
date: 4/29/2026
Affecting: AgentFlow < commit 1667fa3
CVE: CVE-2026-7439
CWE: CWE-346 Origin Validation Error
CVSS: 4.8
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
References: Pull Request
Patch Commit
Credit: Chia Min Jun Lennon
Description: AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this content-type validation weakness through browser-driven or local cross-origin requests to abuse the localhost API and enable attack chains against the local control plane.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo