flyto-core Unauthenticated Command Execution via HTTP MCP `execute_module`
flyto-core is vulnerable to unauthenticated command execution via its HTTP MCP endpoint (`POST /mcp`), allowing remote attackers to execute arbitrary OS commands with server privileges by invoking `sandbox.execute_shell` through JSON-RPC requests, potentially leading to full system compromise.
flyto-core, an application leveraging FastAPI, is susceptible to an unauthenticated command execution vulnerability. This flaw exists within its HTTP MCP endpoint (POST /mcp), which lacks proper authentication and authorization checks. Discovered on 2026-07-06, the vulnerability allows unauthenticated attackers to send JSON-RPC tools/call requests that are then dispatched to arbitrary internal modules, including sandbox.execute_shell. This specific module executes attacker-controlled input directly via asyncio.create_subprocess_shell with shell=True, bypassing security controls. By default, flyto-core binds to 127.0.0.1, making it a high-severity local vulnerability (CVSS 8.4); however, if configured to bind to --host 0.0.0.0, it becomes remotely exploitable, enabling full system compromise with root privileges as demonstrated in dynamic reproductions.
Attack Chain
- Attacker sends an unauthenticated HTTP POST request to the
/mcpendpoint of a vulnerable flyto-core server. - The
mcp_router(mounted atsrc/core/api/server.py:75-78) receives the request without requiring authentication. - The
mcp_postfunction (src/core/api/routes/mcp.py:65-66) processes the request body, which is an attacker-controlled JSON-RPC payload. - The
handle_jsonrpc_requestfunction (src/core/api/routes/mcp.py:103-104) forwards the JSON-RPC item containing atools/callmethod withname: execute_moduleandmodule_id: sandbox.execute_shellto the module dispatcher. - The module registry (
src/core/mcp_handler.py:180) resolvessandbox.execute_shelland invokes it with attacker-suppliedparams, including acommandargument. - The
sandbox.execute_shellmodule (src/core/modules/atomic/sandbox/execute_shell.py:137-139) extracts thecommanddirectly fromparamswithout sanitization. - The
commandis passed toasyncio.create_subprocess_shellwithshell=True(src/core/modules/atomic/sandbox/execute_shell.py:163-169). - The flyto-core server process executes the arbitrary OS command supplied by the attacker, with the privileges of the server.
Impact
This unauthenticated command execution vulnerability carries critical impact. Any local process can exploit the vulnerability if flyto serve is running on a workstation, leading to arbitrary file operations, credential exfiltration, or lateral movement. More severely, if flyto-core is exposed externally (e.g., bound to 0.0.0.0), unauthenticated remote attackers can achieve full system compromise with root privileges, as confirmed by dynamic reproduction. The vulnerability affects developers and local users running the service, as well as infrastructure operators who expose the API without proper network-level access controls. Consequences include complete host takeover.
Recommendation
- Deploy the provided Sigma rule to detect unauthenticated POST requests to
/mcp. - Inspect webserver logs for HTTP POST requests to the
/mcpURI as an indicator of attempted exploitation. - Patch affected flyto-core instances immediately by applying the recommended code changes from the source, specifically ensuring
require_authdependency for/mcproutes and addingsandbox.*to the_DEFAULT_DENYLIST.
Detection coverage 1
Detect flyto-core Unauthenticated MCP Endpoint Access
highDetects unauthenticated HTTP POST requests to the /mcp endpoint of flyto-core, indicating potential exploitation of the unauthenticated command execution vulnerability.
Detection queries are available on the platform. Get full rules →