ruvnet fixed a critical unauthenticated remote code execution flaw in Ruflo's default docker-compose deployment, tracked as CVE-2026-59726 and GHSA-c4hm-4h84-2cf3. In versions before 3.16.3, the MCP bridge exposed POST /mcp and POST /mcp/:group without authentication, allowing a network attacker to invoke terminal execution and gain a shell in the bridge container. The issue carries a CVSS 9.8 rating and was mapped to CWE-78, CWE-306, and CWE-942.
The vendor said successful exploitation could expose provider API keys, let attackers spawn attacker-controlled swarms, and poison the AgentDB learning store to influence future AI outputs; the default deployment also exposed MongoDB on all interfaces. Ruflo v3.16.3 mitigates the risk by binding the MCP bridge to 127.0.0.1 by default, requiring MCP_AUTH_TOKEN for public binding, adding bearer authentication with constant-time comparison, gating terminal execution behind MCP_ENABLE_TERMINAL=true, making the bridge filesystem read-only, and enabling MongoDB authentication with a required MONGO_INITDB_ROOT_PASSWORD. Operators of previously exposed instances were urged to firewall ports 3001 and 27017, rotate provider API keys, and audit both AgentDB and MongoDB because redeployment alone may not remove prior tampering or poisoning.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
The Ruflo MCP bridge vulnerability was published as CVE-2026-59726, affecting versions prior to 3.16.3 and describing unauthenticated access to POST /mcp and POST /mcp/:group endpoints. The advisory stated successful exploitation could yield shell access in the bridge container, exposure of provider API keys, and poisoning of AgentDB learning-store patterns.
Ruflo released version 3.16.3 as a security update addressing an unauthenticated remote code execution issue in the default docker-compose deployment's MCP bridge. The release changed the default bridge binding to 127.0.0.1, added authentication controls, gated terminal execution, and hardened MongoDB and container settings.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.