← back
CVE-2026-30970

Session authentication bypass in Coral Server session creation endpoint

CVSS 8.8 HIGHEPSS 0.3%CWE-862
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.8EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
10 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server allowed the creation of agent sessions through the /api/v1/sessions endpoint without strong authentication. This endpoint performs resource-intensive initialization operations including container spawning and memory context creation. An attacker capable of accessing the endpoint could create sessions or consume system resources without proper authorization. This vulnerability is fixed in 1.1.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Coral-Protocol · coral-server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/Coral-Protocol/coral-server/releases/tag/v1.1.0https://github.com/Coral-Protocol/coral-server/security/advisories/GHSA-wqfm-hhqf-9hgp