Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing
- Severity:
- Medium
Description
An Insecure Direct Object Reference (CWE-639) has been found to exist in createHeaderBasedEmailResolver() function within the Cloudflare Agents SDK.
Recommendation
Update the agents package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.3.7
- Patched version(s): 0.3.7
References
Related Issues
- CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function - CVE-2026-26861
- SillyTavern has Authentication Bypass via SSO Header Injection - CVE-2026-44649
- Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4) - CVE-2026-41321
- StudioCMS has Privilege Escalation via Insecure API Token Generation - CVE-2026-30944
You might also like:
- Tags:
- npm
- agents
Anything's wrong? Let us know Last updated on February 03, 2026