{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/unauthenticated-rce/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flyto-core 2.26.2"],"_cs_severities":["critical"],"_cs_tags":["unauthenticated-rce","command-injection","web-application","ghsa","linux"],"_cs_type":"advisory","_cs_vendors":["flytohub"],"content_html":"\u003cp\u003eflyto-core, an application leveraging FastAPI, is susceptible to an unauthenticated command execution vulnerability. This flaw exists within its HTTP MCP endpoint (\u003ccode\u003ePOST /mcp\u003c/code\u003e), which lacks proper authentication and authorization checks. Discovered on 2026-07-06, the vulnerability allows unauthenticated attackers to send JSON-RPC \u003ccode\u003etools/call\u003c/code\u003e requests that are then dispatched to arbitrary internal modules, including \u003ccode\u003esandbox.execute_shell\u003c/code\u003e. This specific module executes attacker-controlled input directly via \u003ccode\u003easyncio.create_subprocess_shell\u003c/code\u003e with \u003ccode\u003eshell=True\u003c/code\u003e, bypassing security controls. By default, flyto-core binds to \u003ccode\u003e127.0.0.1\u003c/code\u003e, making it a high-severity local vulnerability (CVSS 8.4); however, if configured to bind to \u003ccode\u003e--host 0.0.0.0\u003c/code\u003e, it becomes remotely exploitable, enabling full system compromise with root privileges as demonstrated in dynamic reproductions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sends an unauthenticated HTTP POST request to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint of a vulnerable flyto-core server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emcp_router\u003c/code\u003e (mounted at \u003ccode\u003esrc/core/api/server.py:75-78\u003c/code\u003e) receives the request without requiring authentication.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emcp_post\u003c/code\u003e function (\u003ccode\u003esrc/core/api/routes/mcp.py:65-66\u003c/code\u003e) processes the request body, which is an attacker-controlled JSON-RPC payload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandle_jsonrpc_request\u003c/code\u003e function (\u003ccode\u003esrc/core/api/routes/mcp.py:103-104\u003c/code\u003e) forwards the JSON-RPC item containing a \u003ccode\u003etools/call\u003c/code\u003e method with \u003ccode\u003ename: execute_module\u003c/code\u003e and \u003ccode\u003emodule_id: sandbox.execute_shell\u003c/code\u003e to the module dispatcher.\u003c/li\u003e\n\u003cli\u003eThe module registry (\u003ccode\u003esrc/core/mcp_handler.py:180\u003c/code\u003e) resolves \u003ccode\u003esandbox.execute_shell\u003c/code\u003e and invokes it with attacker-supplied \u003ccode\u003eparams\u003c/code\u003e, including a \u003ccode\u003ecommand\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esandbox.execute_shell\u003c/code\u003e module (\u003ccode\u003esrc/core/modules/atomic/sandbox/execute_shell.py:137-139\u003c/code\u003e) extracts the \u003ccode\u003ecommand\u003c/code\u003e directly from \u003ccode\u003eparams\u003c/code\u003e without sanitization.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecommand\u003c/code\u003e is passed to \u003ccode\u003easyncio.create_subprocess_shell\u003c/code\u003e with \u003ccode\u003eshell=True\u003c/code\u003e (\u003ccode\u003esrc/core/modules/atomic/sandbox/execute_shell.py:163-169\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe flyto-core server process executes the arbitrary OS command supplied by the attacker, with the privileges of the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis unauthenticated command execution vulnerability carries critical impact. Any local process can exploit the vulnerability if \u003ccode\u003eflyto serve\u003c/code\u003e is running on a workstation, leading to arbitrary file operations, credential exfiltration, or lateral movement. More severely, if \u003ccode\u003eflyto-core\u003c/code\u003e is exposed externally (e.g., bound to \u003ccode\u003e0.0.0.0\u003c/code\u003e), unauthenticated remote attackers can achieve full system compromise with \u003ccode\u003eroot\u003c/code\u003e privileges, as confirmed by dynamic reproduction. The vulnerability affects developers and local users running the service, as well as infrastructure operators who expose the API without proper network-level access controls. Consequences include complete host takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect unauthenticated POST requests to \u003ccode\u003e/mcp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInspect webserver logs for HTTP POST requests to the \u003ccode\u003e/mcp\u003c/code\u003e URI as an indicator of attempted exploitation.\u003c/li\u003e\n\u003cli\u003ePatch affected flyto-core instances immediately by applying the recommended code changes from the source, specifically ensuring \u003ccode\u003erequire_auth\u003c/code\u003e dependency for \u003ccode\u003e/mcp\u003c/code\u003e routes and adding \u003ccode\u003esandbox.*\u003c/code\u003e to the \u003ccode\u003e_DEFAULT_DENYLIST\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T17:45:25Z","date_published":"2026-07-06T17:45:25Z","id":"https://feed.craftedsignal.io/briefs/2026-07-flyto-core-unauthenticated-rce/","summary":"flyto-core is vulnerable to unauthenticated command execution via its HTTP MCP endpoint (`POST /mcp`), allowing remote attackers to execute arbitrary OS commands with server privileges by invoking `sandbox.execute_shell` through JSON-RPC requests, potentially leading to full system compromise.","title":"flyto-core Unauthenticated Command Execution via HTTP MCP `execute_module`","url":"https://feed.craftedsignal.io/briefs/2026-07-flyto-core-unauthenticated-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Unauthenticated-Rce","version":"https://jsonfeed.org/version/1.1"}