<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>@Grackle-Ai/Mcp (&lt;= 0.132.1) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/@grackle-ai/mcp--0.132.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:35:34 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/@grackle-ai/mcp--0.132.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>Grackle AI MCP Tool Layer Fail-Open Authorization Leads to IDOR and Privilege Escalation (GHSA-f9ff-5x35-7gfw)</title><link>https://feed.craftedsignal.io/briefs/2026-07-grackle-ai-mcp-idor/</link><pubDate>Fri, 03 Jul 2026 11:35:34 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-grackle-ai-mcp-idor/</guid><description>The Grackle AI MCP tool layer, specifically versions of `@grackle-ai/mcp`, `@grackle-ai/plugin-core`, and `@grackle-ai/auth` up to `0.132.1`, suffers from an authorization bypass (IDOR) due to inconsistent inline checks, allowing a compromised scoped agent to perform unauthorized cross-task and cross-session operations, leading to data manipulation, denial of service, and sensitive data disclosure across workspaces.</description><content:encoded><![CDATA[<p>Grackle AI's Multi-Agent Collaboration Protocol (MCP) tool layer, including <code>@grackle-ai/mcp</code>, <code>@grackle-ai/plugin-core</code>, and <code>@grackle-ai/auth</code> up to version <code>0.132.1</code>, contains critical authorization bypass vulnerabilities (GHSA-f9ff-5x35-7gfw). The core issue stems from inconsistent inline authorization checks within the tool layer, which is the <em>sole</em> authorization boundary for scoped callers. Because the MCP server authenticates all outbound gRPC with a full server API key and backend gRPC handlers perform no caller-based authorization, several mutating tools (<code>task_update</code>, <code>task_delete</code>, <code>task_resume</code>, <code>session_kill</code>, <code>session_resume</code>) silently omit necessary ancestry/workspace checks, effectively &quot;failing open.&quot; This allows a malicious or prompt-injected scoped agent to perform unauthorized cross-task and cross-session operations, enabling IDOR, privilege escalation, and denial of service. Additionally, a flaw in handling workspaceless sessions allows for cross-workspace read-only data disclosure. The vulnerability was published on July 2, 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access/Compromise</strong>: An attacker gains control over an existing Grackle AI &quot;scoped agent&quot; within a customer environment, potentially through prompt injection, misconfiguration, or compromising the underlying system hosting the agent.</li>
<li><strong>Task ID Enumeration (F2)</strong>: The compromised scoped agent leverages legitimate tools like <code>task_list</code> or <code>task_search</code> to discover <code>taskId</code> values belonging to other tasks, including those of sibling agents, parent tasks, or tasks in different workspaces.</li>
<li><strong>Cross-Workspace Discovery (F7)</strong>: If the compromised agent operates from a workspaceless session, it exploits the <code>workspaceId: undefined</code> bypass in <code>mcp-server.ts</code> to call <code>task_list</code> (without arguments) and retrieve information about <em>all</em> tasks across <em>all</em> workspaces within the Grackle AI instance.</li>
<li><strong>Unauthorized Data Disclosure (F7)</strong>: Using the enumerated <code>taskId</code> values, the agent then calls <code>task_show {taskId}</code> or <code>schedule_show</code> to access and potentially exfiltrate sensitive details (e.g., title, description, branch, review notes) from tasks it is not authorized to view across workspaces.</li>
<li><strong>Task Data Manipulation/Destruction (F2)</strong>: The agent invokes <code>task_update</code>, <code>task_delete</code>, or <code>task_resume</code> with arbitrary <code>taskId</code> values (bypassing ancestry checks), allowing it to modify (e.g., change status to <code>complete</code>/<code>failed</code>, rewrite dependency DAG/budgets) or permanently delete tasks belonging to other agents or the human orchestrator.</li>
<li><strong>Session Denial of Service / Hijacking (F6)</strong>: The agent calls <code>session_kill {sessionId}</code> or <code>session_resume {sessionId}</code> (bypassing ancestry checks) to terminate or resume active sessions of other agents or the root orchestrator, leading to a denial of service or unauthorized session control.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerabilities allow a compromised Grackle AI scoped agent to escalate privileges, gain unauthorized access to sensitive data, and disrupt operations. Specifically, attackers can permanently destroy other agents' or the human orchestrator's work, corrupt task dependency graphs and budgets, terminate other active sessions (leading to a denial of service for sibling agents or the root orchestrator), hijack foreign sessions, and exfiltrate sensitive task metadata (titles, descriptions, branch info, review notes) from any workspace. The &quot;fail-open&quot; nature means new tools can introduce similar vulnerabilities if ancestry checks are omitted, making the system inherently fragile. The advisory covers systemic findings F2, F6, F7, and F12.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize updating all <code>@grackle-ai/mcp</code>, <code>@grackle-ai/plugin-core</code>, and <code>@grackle-ai/auth</code> packages to versions <em>greater than</em> <code>0.132.1</code> to address GHSA-f9ff-5x35-7gfw.</li>
<li>Ensure that the remediation for GHSA-f9ff-5x35-7gfw, specifically the enforcement of scope centrally in the <code>CallToolRequest</code> dispatcher (<code>mcp-server.ts</code>) via <code>targetTaskIdArg</code> / <code>targetSessionIdArg</code> descriptors, is fully implemented and operational.</li>
<li>Verify that <code>assertCallerIsAncestor</code> or equivalent self-or-ancestor checks have been added to <code>task_update</code>, <code>task_delete</code>, <code>task_resume</code>, <code>session_kill</code>, and <code>session_resume</code> as described in the remediation for GHSA-f9ff-5x35-7gfw.</li>
<li>Confirm that the fix for F7, preventing failure-open on empty <code>workspaceId</code> and applying <code>task_show</code> membership checks for all scoped non-root callers, is properly deployed per GHSA-f9ff-5x35-7gfw.</li>
<li>If <code>scoped-token.ts</code> (F12) is wired into task-abort/stop flows with SQLite-backed persistence, ensure this feature is functional to allow for proper scoped token revocation, as recommended in GHSA-f9ff-5x35-7gfw.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>idor</category><category>authorization-bypass</category><category>privilege-escalation</category><category>denial-of-service</category><category>code-vulnerability</category><category>software-component</category></item></channel></rss>