CVE-2026-30969
Published: 10 March 2026
Summary
CVE-2026-30969 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Coralos Coral Server. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-10 (Adaptive Authentication) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires protection of communications session authenticity, directly preventing impersonation by attackers using obtained or predicted session identifiers in active sessions.
IA-10 employs adaptive and continuous authentication mechanisms during active sessions, enforcing strong authentication between agents and the server beyond session IDs.
IA-11 mandates re-authentication for organization-defined conditions or privileged operations within sessions, mitigating unauthorized actions by session hijackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes unauthenticated network exploitation of weak session ID handling in a public-facing server (T1190), directly enabling impersonation via predicted/obtained session identifiers as alternate auth material (T1550.004).
NVD Description
Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server did not enforce strong authentication between agents and the server within an active session. This could allow…
more
an attacker who obtained or predicted a session identifier to impersonate an agent or join an existing session. This vulnerability is fixed in 1.1.0.
Deeper analysisAI
CVE-2026-30969 is a high-severity authentication vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting Coral Server versions prior to 1.1.0, mapped to CWE-639 (Authorization Bypass Through User-Controlled Key). Coral Server provides open collaboration infrastructure for communication, coordination, trust, and payments in The Internet of Agents. In affected versions, the server fails to enforce strong authentication between agents and the server during active sessions, enabling misuse of session identifiers.
An unauthenticated network attacker can exploit this vulnerability by obtaining or predicting a valid session identifier, allowing them to impersonate a legitimate agent or join an existing session. Successful exploitation grants high-impact access to confidential data (C:H) and enables integrity violations (I:H), such as unauthorized actions on behalf of the impersonated agent, without requiring user interaction or privileges.
The issue is remediated in Coral Server version 1.1.0. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub release notes at https://github.com/Coral-Protocol/coral-server/releases/tag/v1.1.0 and the security advisory at https://github.com/Coral-Protocol/coral-server/security/advisories/GHSA-ccx7-7wv9-c55x.
Details
- CWE(s)