What happened
Ruflo, an agent meta-harness for Claude Code and Codex, shipped a default docker-compose deployment that exposed the MCP bridge's POST /mcp and POST /mcp/:group endpoints without any authentication. An unauthenticated network attacker could invoke tools/call against terminal_execute to run arbitrary OS commands inside the bridge container, enabling theft of API keys, poisoning of agent learning stores (AgentDB), and lateral network movement. Fixed in v3.16.3, which binds the bridge to 127.0.0.1 by default, requires MCP_AUTH_TOKEN for public binding, adds bearer auth with constant-time comparison, gates terminal execution behind MCP_ENABLE_TERMINAL=true, makes the bridge filesystem read-only, and requires MongoDB authentication.
Why it matters
This is a maximum-severity (CVSS 10.0), zero-authentication remote code execution vulnerability in a widely-referenced agent meta-harness bridging two of the most popular coding-agent ecosystems (Claude Code, Codex/OpenAI). Default deployment configuration exposed it publicly, meaning any exposed instance was trivially exploitable for full container compromise, credential theft, and agent-memory poisoning.
Attack vector
Unauthenticated POST requests to exposed /mcp or /mcp/:group MCP bridge endpoints invoking terminal_execute tool to run arbitrary OS commands
Affected systems
Ruflo (agent meta-harness for Claude Code/Codex) < 3.16.3
Mitigation
Upgrade to Ruflo ≥3.16.3; bind MCP bridge to localhost; set MCP_AUTH_TOKEN and MCP_ENABLE_TERMINAL only if required; enable MongoDB authentication