Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing
- Severity:
- Medium
Description
An Insecure Direct Object Reference (CWE-639) has been found to exist in createHeaderBasedEmailResolver() function within the Cloudflare Agents SDK.
Recommendation
Update the agents package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.3.7
- Patched version(s): 0.3.7
References
Related Issues
- jsPDF has a PDF Object Injection via FreeText color - CVE-2026-31898
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
- StudioCMS has Privilege Escalation via Insecure API Token Generation - CVE-2026-30944
- Astro has Full-Read SSRF in error rendering via Host: header injection - CVE-2026-25545
- Tags:
- npm
- agents
Anything's wrong? Let us know Last updated on February 03, 2026