DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-W5CR-2QHR-JQC5: Agent Provocateur: Breaking the Fourth Wall in Cloudflare's AI Playground

#security #cve #cybersecurity

Agent Provocateur: Breaking the Fourth Wall in Cloudflare's AI Playground

Vulnerability ID: GHSA-W5CR-2QHR-JQC5
CVSS Score: 6.2
Published: 2026-02-13

In the rush to connect Large Language Models (LLMs) to the real world via the Model Context Protocol (MCP), developers often overlook the plumbing. CVE-2026-1721 is a classic Reflected Cross-Site Scripting (XSS) vulnerability found in the Cloudflare Agents SDK's OAuth callback handler. By abusing how error messages are serialized into HTML, attackers could hijack a developer's session, stealing sensitive AI chat logs and potentially commanding connected agents to perform unauthorized actions.

TL;DR

The Cloudflare Agents SDK used JSON.stringify() to render OAuth error messages directly inside an HTML <script> tag. Since this function doesn't escape forward slashes, attackers could close the script block with </script> and inject malicious JavaScript. This grants full access to the AI Playground session.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • CVSS Score: 6.2 (Medium)
  • Attack Vector: Network
  • User Interaction: Required (Clicking Link)
  • Impact: Session Hijacking / Data Exfiltration
  • Exploit Status: Proof of Concept (PoC) Available

Affected Systems

  • Cloudflare Agents SDK (< 0.3.10)
  • Cloudflare AI Playground
  • Applications implementing MCP Client with default OAuth callbacks
  • cloudflare/agents: < 0.3.10 (Fixed in: 0.3.10)

Code Analysis

Commit: 3f490d0

Fixed reflected XSS in OAuth callback handler by escaping error messages

- window.opener.postMessage(${JSON.stringify(error)})
+ const safeError = escapeHtml(error);
+ window.opener.postMessage(safeError)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual Analysis: Analysis of the patch reveals the vulnerable JSON.stringify usage pattern.

Mitigation Strategies

  • Input Sanitization: Use libraries like escape-html or he to sanitize data before rendering.
  • Context-Aware Output Encoding: Understand the difference between JavaScript string escaping and HTML entity encoding.
  • Architecture Change: Avoid reflecting input in the OAuth callback page entirely; use session state or nonces.

Remediation Steps:

  1. Update cloudflare/agents SDK to version 0.3.10 or higher.
  2. Audit any custom OAuth callback handlers in your own applications for similar JSON.stringify usage patterns inside <script> tags.
  3. Implement Content Security Policy (CSP) headers to restrict inline script execution.

References

Read the full report for GHSA-W5CR-2QHR-JQC5 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)