CVE-2026-30970
CRITICALCoral Server < 1.1.0 - Unauthenticated Resource Exhaustion via Session Creation Endpoint
Title source: llmDescription
Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server allowed the creation of agent sessions through the /api/v1/sessions endpoint without strong authentication. This endpoint performs resource-intensive initialization operations including container spawning and memory context creation. An attacker capable of accessing the endpoint could create sessions or consume system resources without proper authorization. This vulnerability is fixed in 1.1.0.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Coral-Protocol/coral-server/security/advisories/GHSA-wqfm-hhqf-9hgp
Release Notes x_refsource_misc
https://github.com/Coral-Protocol/coral-server/releases/tag/v1.1.0
Scores
CVSS v3
9.1
EPSS
0.0032
EPSS Percentile
23.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (1)
coralos/coral_server
< 1.1.0
Published
Mar 10, 2026
Tracked Since
Mar 11, 2026