Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.2
Cloudflare Agents: Malicious Links Can Steal User Data and Control MCP Servers
CVE-2026-1721
GHSA-cvhv-6xm6-c3v4
Summary
Cloudflare Agents has a security flaw that lets attackers steal user chat history and take control of connected servers if users click on a malicious link. To fix this, update to [email protected] or ensure you're properly escaping user-controlled input in your own applications.
What to do
- Update GitHub Actions agents to version 0.3.10.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | agents | <= 0.3.10 | 0.3.10 |
Original title
Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler
Original description
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground's OAuth callback handler. The `error_description` query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the context of the victim's session.
Root cause
The OAuth callback handler in `site/ai-playground/src/server.ts` directly interpolated the `authError` value, sourced from the `error_description` query parameter, into an inline `<script>` tag.
Impact
An attacker could craft a malicious link that, when clicked by a victim, would:
* Steal user chat message history - Access all LLM interactions stored in the user's session.
* Access connected MCP Servers - Interact with any MCP servers connected to the victim's session (public or authenticated/private), potentially allowing the attacker to perform actions on the victim's behalf
Mitigation:
* PR: https://github.com/cloudflare/agents/pull/841 https://github.com/cloudflare/agents/pull/841
* Agents-sdk users should upgrade to [email protected]
* Developers using configureOAuthCallback with custom error handling in their own applications should ensure all user-controlled input is escaped before interpolation.
A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground's OAuth callback handler. The `error_description` query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the context of the victim's session.
Root cause
The OAuth callback handler in `site/ai-playground/src/server.ts` directly interpolated the `authError` value, sourced from the `error_description` query parameter, into an inline `<script>` tag.
Impact
An attacker could craft a malicious link that, when clicked by a victim, would:
* Steal user chat message history - Access all LLM interactions stored in the user's session.
* Access connected MCP Servers - Interact with any MCP servers connected to the victim's session (public or authenticated/private), potentially allowing the attacker to perform actions on the victim's behalf
Mitigation:
* PR: https://github.com/cloudflare/agents/pull/841 https://github.com/cloudflare/agents/pull/841
* Agents-sdk users should upgrade to [email protected]
* Developers using configureOAuthCallback with custom error handling in their own applications should ensure all user-controlled input is escaped before interpolation.
nvd CVSS4.0
6.2
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026