Skip to content
Threat Feed
high advisory

Inkeep Agents Authentication Bypass Vulnerability (CVE-2026-8321)

CVE-2026-8321 is an authentication bypass vulnerability in the createDevContext function of Inkeep Agents 0.58.14, allowing remote attackers to bypass authentication via alternate channels.

A critical authentication bypass vulnerability, identified as CVE-2026-8321, has been discovered in Inkeep Agents version 0.58.14. The flaw exists within the createDevContext function located in the agents-api/src/middleware/runAuth.ts file, which is part of the runAuth Middleware component. This vulnerability enables attackers to bypass authentication by manipulating requests to use an alternate channel. The vulnerability can be exploited remotely without requiring any prior authentication. Public exploits are available, increasing the risk of exploitation. The vendor has been notified but has not yet responded.

Attack Chain

  1. The attacker identifies an Inkeep Agents instance running version 0.58.14.
  2. The attacker crafts a malicious request targeting the createDevContext function within the agents-api/src/middleware/runAuth.ts file.
  3. The crafted request manipulates parameters to exploit the authentication bypass vulnerability.
  4. The vulnerable createDevContext function improperly validates or skips authentication checks based on the manipulated parameters.
  5. The system grants the attacker unauthorized access to protected resources or functionalities.
  6. The attacker performs privileged actions, such as accessing sensitive data or modifying system configurations, due to the bypassed authentication.

Impact

Successful exploitation of CVE-2026-8321 allows unauthenticated remote attackers to bypass authentication mechanisms in Inkeep Agents 0.58.14. This can lead to unauthorized access to sensitive information, modification of system configurations, or execution of privileged operations. The vulnerability is remotely exploitable and has a public exploit, increasing the likelihood of widespread attacks.

Recommendation

  • Monitor web server logs for suspicious requests targeting the createDevContext function in agents-api/src/middleware/runAuth.ts (See Sigma rule Detect CVE-2026-8321 Exploitation — Inkeep Agents Authentication Bypass).
  • Apply any available patches or updates released by Inkeep to address CVE-2026-8321.

Detection coverage 1

Detect CVE-2026-8321 Exploitation — Inkeep Agents Authentication Bypass

high

Detects CVE-2026-8321 exploitation — Attempts to bypass authentication by manipulating requests to the createDevContext function.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →