2026-06-05 - 2026-07-05
Overview
13 Issues created by 1 user
Opened
#10 [C1] Secrets/tokens in WebSocket URL query strings
Opened
#11 [C2] Unauthenticated downloads.rs: hardcoded prod relay URL + default API-key fallback + false support-embedding docstring
Opened
#12 [C3] downloads.rs body().unwrap() on attacker-controlled Content-Disposition filename -> unauthenticated panic/DoS
Opened
#13 [C4] Agent block_in_place/Handle::block_on in main async session loop -> thread-starvation/deadlock
Opened
#14 [C5] Auto-update verified only by SHA-256 over same channel, no signature -> fleet-wide SYSTEM RCE on MITM
Opened
#15 [H1] No rate-limit/lockout on the login path
Opened
#16 [H2] Bootstrap admin plaintext password written to .admin-credentials + info! log fallback
Opened
#17 [H3] revoke_user_tokens is a 501 stub whose comment claims partial behavior
Opened
#18 [H4] token_blacklist cleanup_expired re-verifies every JWT signature; stores whole tokens in RAM
Opened
#19 [H5] Server does not block self-role-demotion (only self-delete); lockout guard is client-only
Opened
#20 [H6] Dashboard JWT in sessionStorage, blindly attached as Bearer, no exp/refresh/idle-timeout
Opened
#21 [H7] Attended-consent MessageBoxW awaited inside agent main loop -> up to ~60s of no heartbeats/stop processing
Opened
#22 [H8] cak_ store ACL set via bare icacls (PATH search) from SYSTEM -> LPE; silent weaker store on failure
1 Unresolved Conversation
Open
#1
Native viewer protocol URL parsing needs testing