Vulnerability  ·  2026-07-11

Ruflo Agent Meta-Harness — Unauthenticated MCP Bridge RCE (CVSS 10.0)

VulnerabilityHigh impactGlobalCVE-2026-59726
Ruflo, an agent meta-harness for Claude Code and Codex, shipped a default docker-compose deployment that exposed the MCP bridge's POST /mcp and POST /mcp/:group endpoints without any authentication. An unauthenticated network attacker could invoke tools/call against terminal_execute to run arbitrary OS commands inside the bridge container, enabling theft of API keys, poisoning of agent learning stores (AgentDB), and lateral network movement. Fixed in v3.16.3, which binds the bridge to 127.0.0.1 by default, requires MCP_AUTH_TOKEN for public binding, adds bearer auth with constant-time comparison, gates terminal execution behind MCP_ENABLE_TERMINAL=true, makes the bridge filesystem read-only, and requires MongoDB authentication.
This is a maximum-severity (CVSS 10.0), zero-authentication remote code execution vulnerability in a widely-referenced agent meta-harness bridging two of the most popular coding-agent ecosystems (Claude Code, Codex/OpenAI). Default deployment configuration exposed it publicly, meaning any exposed instance was trivially exploitable for full container compromise, credential theft, and agent-memory poisoning.
Unauthenticated POST requests to exposed /mcp or /mcp/:group MCP bridge endpoints invoking terminal_execute tool to run arbitrary OS commands
Ruflo (agent meta-harness for Claude Code/Codex) < 3.16.3
Upgrade to Ruflo ≥3.16.3; bind MCP bridge to localhost; set MCP_AUTH_TOKEN and MCP_ENABLE_TERMINAL only if required; enable MongoDB authentication
GitHub Security Advisory GHSA-c4hm-4h84-2cf3Mallory.ai
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →