CVE-2026-7439
MEDIUMAgentFlow Local Web API Content-Type Validation Bypass
Title source: cnaDescription
AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this content-type validation weakness through browser-driven or local cross-origin requests to abuse the localhost API and enable attack chains against the local control plane.
Scores
CVSS v3
4.4
EPSS
0.0001
EPSS Percentile
0.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-346
Status
published
Products (1)
berabuddies/AgentFlow
< 1667fa3
Published
Apr 29, 2026
Tracked Since
Apr 30, 2026