Threat Advisory

flyto-core Vulnerability Allows Unauthenticated Command Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the flyto-core software package, affecting versions prior to 2.26.4. These flaws include an Unauthenticated Command Execution vulnerability and a Server-Side Request Forgery (SSRF) guard bypass. Successful exploitation of these issues could allow attackers to execute arbitrary operating system commands or access sensitive internal resources and cloud metadata services. The business impact is severe, potentially leading to full system compromise, data exfiltration, and unauthorized access to critical infrastructure components.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the flyto-core software package, affecting versions prior to 2.26.4. These flaws include an Unauthenticated Command Execution vulnerability and a Server-Side Request Forgery (SSRF) guard bypass. Successful exploitation of these issues could allow attackers to execute arbitrary operating system commands or access sensitive internal resources and cloud metadata services. The business impact is severe, potentially leading to full system compromise, data exfiltration, and unauthorized access to critical infrastructure components.[emaillocker id="1283"]

  • CVE-2026-55786 with a CVSS score of 8.4 – This vulnerability permits unauthenticated command execution via the HTTP MCP endpoint by passing attacker-controlled input directly to a subprocess shell function.
  • CVE-2026-55787 with a CVSS score of 7.1 – This flaw involves a Server-Side Request Forgery guard bypass because the validation logic fails to account for IPv6 transition addresses, allowing access to internal resources.

These vulnerabilities pose a critical risk to the integrity and confidentiality of environments running flyto-core. If exploited, threat actors could gain complete control over the server or extract sensitive metadata, leading to significant operational disruption and potential data breaches. Immediate attention is required to assess exposure and prevent potential supply chain or infrastructure attacks.

RECOMMENDATION:

  • We recommend you to update flyto-core to version 2.26.4 and 2.26.3.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-h9f9-h6gm-wc85
https://github.com/advisories/GHSA-794r-5rp2-fpg8

[/emaillocker]
crossmenu