<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Flyto-Core 2.26.2 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/flyto-core-2.26.2/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 17:45:25 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/flyto-core-2.26.2/feed.xml" rel="self" type="application/rss+xml"/><item><title>flyto-core Unauthenticated Command Execution via HTTP MCP `execute_module`</title><link>https://feed.craftedsignal.io/briefs/2026-07-flyto-core-unauthenticated-rce/</link><pubDate>Mon, 06 Jul 2026 17:45:25 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-flyto-core-unauthenticated-rce/</guid><description>flyto-core is vulnerable to unauthenticated command execution via its HTTP MCP endpoint (`POST /mcp`), allowing remote attackers to execute arbitrary OS commands with server privileges by invoking `sandbox.execute_shell` through JSON-RPC requests, potentially leading to full system compromise.</description><content:encoded><![CDATA[<p>flyto-core, an application leveraging FastAPI, is susceptible to an unauthenticated command execution vulnerability. This flaw exists within its HTTP MCP endpoint (<code>POST /mcp</code>), which lacks proper authentication and authorization checks. Discovered on 2026-07-06, the vulnerability allows unauthenticated attackers to send JSON-RPC <code>tools/call</code> requests that are then dispatched to arbitrary internal modules, including <code>sandbox.execute_shell</code>. This specific module executes attacker-controlled input directly via <code>asyncio.create_subprocess_shell</code> with <code>shell=True</code>, bypassing security controls. By default, flyto-core binds to <code>127.0.0.1</code>, making it a high-severity local vulnerability (CVSS 8.4); however, if configured to bind to <code>--host 0.0.0.0</code>, it becomes remotely exploitable, enabling full system compromise with root privileges as demonstrated in dynamic reproductions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker sends an unauthenticated HTTP POST request to the <code>/mcp</code> endpoint of a vulnerable flyto-core server.</li>
<li>The <code>mcp_router</code> (mounted at <code>src/core/api/server.py:75-78</code>) receives the request without requiring authentication.</li>
<li>The <code>mcp_post</code> function (<code>src/core/api/routes/mcp.py:65-66</code>) processes the request body, which is an attacker-controlled JSON-RPC payload.</li>
<li>The <code>handle_jsonrpc_request</code> function (<code>src/core/api/routes/mcp.py:103-104</code>) forwards the JSON-RPC item containing a <code>tools/call</code> method with <code>name: execute_module</code> and <code>module_id: sandbox.execute_shell</code> to the module dispatcher.</li>
<li>The module registry (<code>src/core/mcp_handler.py:180</code>) resolves <code>sandbox.execute_shell</code> and invokes it with attacker-supplied <code>params</code>, including a <code>command</code> argument.</li>
<li>The <code>sandbox.execute_shell</code> module (<code>src/core/modules/atomic/sandbox/execute_shell.py:137-139</code>) extracts the <code>command</code> directly from <code>params</code> without sanitization.</li>
<li>The <code>command</code> is passed to <code>asyncio.create_subprocess_shell</code> with <code>shell=True</code> (<code>src/core/modules/atomic/sandbox/execute_shell.py:163-169</code>).</li>
<li>The flyto-core server process executes the arbitrary OS command supplied by the attacker, with the privileges of the server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This unauthenticated command execution vulnerability carries critical impact. Any local process can exploit the vulnerability if <code>flyto serve</code> is running on a workstation, leading to arbitrary file operations, credential exfiltration, or lateral movement. More severely, if <code>flyto-core</code> is exposed externally (e.g., bound to <code>0.0.0.0</code>), unauthenticated remote attackers can achieve full system compromise with <code>root</code> privileges, as confirmed by dynamic reproduction. The vulnerability affects developers and local users running the service, as well as infrastructure operators who expose the API without proper network-level access controls. Consequences include complete host takeover.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to detect unauthenticated POST requests to <code>/mcp</code>.</li>
<li>Inspect webserver logs for HTTP POST requests to the <code>/mcp</code> URI as an indicator of attempted exploitation.</li>
<li>Patch affected flyto-core instances immediately by applying the recommended code changes from the source, specifically ensuring <code>require_auth</code> dependency for <code>/mcp</code> routes and adding <code>sandbox.*</code> to the <code>_DEFAULT_DENYLIST</code>.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>unauthenticated-rce</category><category>command-injection</category><category>web-application</category><category>ghsa</category><category>linux</category></item></channel></rss>