SCA: security update for agents (GHSA-r7x9-8ph7-w8cg)

medium Tenable Cloud Security Plugin ID 437473

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Summary An Insecure Direct Object Reference has been found to exist in `createHeaderBasedEmailResolver()`
function within the Cloudflare Agents SDK. The issue occurs because the `Message-ID` and `References`
headers are parsed to derive the target agentName and agentId without proper validation or origin checks,
allowing an external attacker with control of these headers to route inbound mail to arbitrary Durable
Object instances and namespaces . Root cause The `createHeaderBasedEmailResolver()` function lacks
cryptographic verification or origin validation for the headers used in the routing logic, effectively
allowing external input to dictate internal object routing. Impact Insecure Direct Object Reference (IDOR)
in email routing lets an attacker steer inbound mail to arbitrary Agent instances via spoofed Message-ID.
Mitigation: * PR: https://github.com/cloudflare/agents/blob/main/docs/email.md ] provides the necessary
architectural context for coding agents to mitigate the issue by refactoring the resolver to enforce
strict identity boundaries. * Agents-sdk users should upgrade to [email protected] (CVE-2026-1664)

See Also

https://github.com/advisories/GHSA-r7x9-8ph7-w8cg

Plugin Details

Severity: Medium

ID: 437473

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 2/3/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.59

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2026-1664

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/3/2026

Vulnerability Publication Date: 2/3/2026

Reference Information

CVE: CVE-2026-1664

cwe: CWE-639