CVE-2026-7439

Name of the Vulnerable Software and Affected Versions AgentFlow (affected versions not specified)

Description The local web API fails to enforce application/json validation for non-JSON content types on the 'POST /api/runs' and 'POST /api/runs/validate' endpoints. This allows attackers to bypass trust-boundary enforcement on sensitive operations via browser-driven or local cross-origin requests, potentially enabling attack chains against the local control plane.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.