{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30968", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:53:48.815Z", "datePublished": "2026-03-10T17:24:11.604Z", "dateUpdated": "2026-03-10T17:40:58.576Z"}, "containers": {"cna": {"title": "Coral Server has insufficient validation of agent identity for SSE connections", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Coral-Protocol/coral-server/security/advisories/GHSA-2rj5-3pgm-xqw9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Coral-Protocol/coral-server/security/advisories/GHSA-2rj5-3pgm-xqw9"}, {"name": "https://github.com/Coral-Protocol/coral-server/releases/tag/v1.1.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/Coral-Protocol/coral-server/releases/tag/v1.1.0"}], "affected": [{"vendor": "Coral-Protocol", "product": "coral-server", "versions": [{"version": "< 1.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T17:24:11.604Z"}, "descriptions": [{"lang": "en", "value": "Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint (/sse/v1/...) in Coral Server did not strongly validate that a connecting agent was a legitimate participant in the session. This could theoretically allow unauthorized message injection or observation. This vulnerability is fixed in 1.1.0."}], "source": {"advisory": "GHSA-2rj5-3pgm-xqw9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T17:40:17.820960Z", "id": "CVE-2026-30968", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T17:40:58.576Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30968", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T17:40:17.820960Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T17:40:53.048Z"}}], "cna": {"title": "Coral Server has insufficient validation of agent identity for SSE connections", "source": {"advisory": "GHSA-2rj5-3pgm-xqw9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Coral-Protocol", "product": "coral-server", "versions": [{"status": "affected", "version": "< 1.1.0"}]}], "references": [{"url": "https://github.com/Coral-Protocol/coral-server/security/advisories/GHSA-2rj5-3pgm-xqw9", "name": "https://github.com/Coral-Protocol/coral-server/security/advisories/GHSA-2rj5-3pgm-xqw9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Coral-Protocol/coral-server/releases/tag/v1.1.0", "name": "https://github.com/Coral-Protocol/coral-server/releases/tag/v1.1.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint (/sse/v1/...) in Coral Server did not strongly validate that a connecting agent was a legitimate participant in the session. This could theoretically allow unauthorized message injection or observation. This vulnerability is fixed in 1.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T17:24:11.604Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30968", "state": "PUBLISHED", "dateUpdated": "2026-03-10T17:40:58.576Z", "dateReserved": "2026-03-07T17:53:48.815Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T17:24:11.604Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:coralos:coral_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "08D51A1E-4EA2-4413-936B-36CBB428C2FC", "versionEndExcluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint (/sse/v1/...) in Coral Server did not strongly validate that a connecting agent was a legitimate participant in the session. This could theoretically allow unauthorized message injection or observation. This vulnerability is fixed in 1.1.0."}, {"lang": "es", "value": "Coral Server es una infraestructura de colaboraci\u00f3n abierta que permite la comunicaci\u00f3n, coordinaci\u00f3n, confianza y pagos para La Internet de Agentes. Antes de 1.1.0, el endpoint SSE (/sse/v1/...) en Coral Server no validaba fuertemente que un agente que se conectaba fuera un participante leg\u00edtimo en la sesi\u00f3n. Esto podr\u00eda te\u00f3ricamente permitir la inyecci\u00f3n o la observaci\u00f3n no autorizada de mensajes. Esta vulnerabilidad est\u00e1 corregida en 1.1.0."}], "id": "CVE-2026-30968", "lastModified": "2026-03-13T19:49:13.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T18:18:55.593", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Coral-Protocol/coral-server/releases/tag/v1.1.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Coral-Protocol/coral-server/security/advisories/GHSA-2rj5-3pgm-xqw9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "coral-server", "source": "cna", "vendor": "Coral-Protocol"}, "product": "coral-server", "vendor": "coral-protocol"}], "analysis": {"en": {"generated_at": "2026-04-16T09:41:21.711861+00:00", "value": {"mitigation_remediation": ["Upgrade Coral\u00a0Server to version\u00a01.1.0 or newer.", "If an update is not possible, restrict access to the /sse/v1/ endpoint using firewalls or network segmentation so only trusted agents can reach it.", "Enforce strict identity verification for agents before allowing SSE connections, such as validating tokens or certificates to mitigate the missing access control flaw."], "summary": {"action": "Immediate patch", "impact": "Unauthorized message injection or observation."}, "threat_synthesis": {"affected_systems": "The issue exists in all Coral\u2011Protocol Coral\u00a0Server releases before version\u00a01.1.0. Only the SSE path is affected, and the fix is included starting with Coral\u00a0Server\u00a01.1.0. The vulnerability affects deployments of the Coral\u00a0Server component of the Coral Protocol open collaboration infrastructure.", "description_and_impact": "Coral Server\u2019s SSE endpoint (/sse/v1/...) lacks sufficient validation of an agent\u2019s identity, allowing an unauthorized party to potentially inject messages into or observe data streams that belong to legitimate sessions. This weakness is a classic case of missing access control (CWE\u2011862) and could compromise the confidentiality and integrity of communication between agents. The vulnerability is theoretical but could be exploited to tamper with or eavesdrop on collaboration data, payments, or trust exchanges handled by the server.", "risk_and_exploitability": "The CVSS score of 8.6 places the flaw in the high\u2011severity range. However, the EPSS score of less than 1% suggests the likelihood of exploitation is currently low, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to establish a session over the SSE endpoint without sufficient identity verification; the vulnerability can be triggered without any privileged knowledge beyond the endpoint\u2019s existence and the ability to connect as an agent. Consequently, the threat is moderate to high, warranting timely remediation but not immediate emergency response."}}}}, "created": "2026-03-11T11:44:54.174131+00:00", "updated": "2026-04-16T09:45:31.676577+00:00", "vendors": ["coral-protocol", "coral-protocol$PRODUCT$coral-server"]}