CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityauthentication-bypasscwe-287cwe-288
CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability

The National Vulnerability Database has disclosed CVE-2026-8321, a high-severity authentication bypass vulnerability affecting Inkeep agents version 0.58.14. This critical flaw resides within the createDevContext function of the agents-api/src/middleware/runAuth.ts file, specifically within the runAuth Middleware component. Attackers can exploit this vulnerability remotely to bypass authentication mechanisms using an alternate channel.

The CVSS score for CVE-2026-8321 is 7.3 (HIGH), with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. This indicates a network-exploitable vulnerability requiring low attack complexity and no user interaction, leading to low impacts on confidentiality, integrity, and availability. The exploit code is now public, significantly increasing the immediate risk for organizations running affected Inkeep agent versions.

Despite early notification via an issue report, the project maintainers have not yet responded. This lack of communication leaves defenders in a precarious position, as a patch is not yet available for a publicly exploited vulnerability. Organizations using Inkeep agents must prioritize identifying their exposure and implementing compensating controls.

What This Means For You

  • If your organization uses Inkeep agents, specifically version 0.58.14, you are immediately vulnerable to a remote authentication bypass due to CVE-2026-8321. The exploit is public. You must identify all instances of Inkeep agents in your environment, assess their version, and isolate or disable affected systems if a patch is not available. Implement strict network segmentation and monitor for any unusual authentication attempts or access to systems protected by Inkeep agents.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1539 Steal Application Access Token Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-8321: Inkeep Agents Authentication Bypass via Alternate Channel

Sigma YAML — free preview 
title: CVE-2026-8321: Inkeep Agents Authentication Bypass via Alternate Channel
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-8321 by targeting the createDevContext function within the runAuth Middleware of Inkeep Agents. This rule looks for specific HTTP POST requests to '/runAuth' with 'createDevContext' in the query string, indicating a potential authentication bypass attempt using an alternate channel.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-8321/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/runAuth'
      cs-method:
          - 'POST'
      sc-status:
          - '200'
      cs-uri-query|contains:
          - 'createDevContext'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-8321 Auth Bypass inkeep agents version 0.58.14
CVE-2026-8321 Auth Bypass runAuth Middleware component
CVE-2026-8321 Auth Bypass function createDevContext in agents-api/src/middleware/runAuth.ts

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 11, 2026 at 23:25 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-43874: WWBN AVideo WebSocket Vulnerability Allows RCE

CVE-2026-43874 — WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval...

vulnerabilityCVEhigh-severitycwe-94
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 6 Sigma

Pi-hole Privilege Escalation via Systemd Scripts (CVE-2026-41489)

CVE-2026-41489 — Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and...

vulnerabilityCVEhigh-severityprivilege-escalationcwe-15cwe-269cwe-732
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 5 IOCs /⚙ 3 Sigma

CVE-2026-8320 — Jishenghua JshERP Server-Side Request Forgery

CVE-2026-8320 — A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 2 IOCs /⚙ 3 Sigma