AgentFlow Content-Type Validation Bypass Vulnerability in Local Web API

A vulnerability exists in AgentFlow's local web API, specifically on the POST /api/runs and POST /api/runs/validate endpoints. The API accepts non-JSON content types without properly enforcing application/json requirements. This oversight allows attackers to bypass trust-boundary enforcement on sensitive operations. Exploitation can be carried out through browser-driven or local cross-origin requests, taking advantage of the localhost API and potentially leading to attacks on the local control plane.

Impact

Exploitation of this vulnerability can disrupt the normal operation of the local control plane, potentially allowing for unauthorized execution of pipeline files or other sensitive operations.

Reproduction

To reproduce this vulnerability, send a POST request to the /api/runs or /api/runs/validate endpoints with a content type other than application/json. The request will be accepted, bypassing the expected content-type validation. If the 'pipeline_path' option is enabled, this could lead to executing arbitrary local Python pipeline files by simply referencing their paths.

Remediation

Users can update to the latest version of AgentFlow, which includes a patch for this vulnerability. Instructions for updating can be found in the AgentFlow repository.