HIGHCVE-2026-30968Published 2026-03-10Modified 2026-03-10CNA GitHub_M

CVE-2026-30968: Coral Server has insufficient validation of agent identity for SSE connections

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint (/sse/v1/...) in Coral Server did not strongly validate that a connecting agent was a legitimate participant in the session. This could theoretically allow unauthorized message injection or observation. This vulnerability is fixed in 1.1.0.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Coral-Protocol / coral-server
< 1.1.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

https://github.com/Coral-Protocol/coral-server/security/advisories/GHSA-2rj5-3pgm-xqw9
https://github.com/Coral-Protocol/coral-server/releases/tag/v1.1.0

Metrics