{"uuid": "085f932f-8eb0-4588-b2b4-35dd07b70d43", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55646", "type": "seen", "source": "https://gist.github.com/Correctover/8d7691dfbb05c2ccbf99911d88309851", "content": "# CWE-636 Fail-Open: Cross-Framework Vulnerability in Agent Tool Execution\n\n## Affected Frameworks\n\n| Framework | Version | Location | Severity |\n|-----------|---------|----------|----------|\n| Microsoft AGT | 2026 | `McpTool.run_async()` | CVSS 9.1 |\n| Google ADK | 2026 | `src/google/adk/tools/mcp_tool/mcp_tool.py` | CVSS 8.6 |\n| Vercel AI SDK | 2026 | `packages/ai/src/generate-text/execute-tool-call.ts` | CVSS 8.1 |\n| Haystack | 2026 | `haystack/components/agents/tool_calling.py` | CVSS 7.8 |\n| OpenAI Swarm | 2026 | `swarm/core.py handle_tool_calls()` | CVSS 7.5 |\n\n## The Universal Pattern\n\nEvery major Agent framework handles tool execution errors the same way:\n\n```\nTool fails \u2192 Error caught \u2192 Error returned as \"tool output\" \u2192 Agent continues \u2192 Decision on corrupted data\n```\n\n### Microsoft AGT (CVE-2026-55646)\n\n```python\ntry:\n    result = await self._call_mcp_tool(...)\nexcept Exception as e:\n    logger.warning(f\"MCP tool failed: {e}\")\n    return {\"error\": str(e)}  # Agent treats as valid output\n```\n\n### Google ADK\n\n```python\n# src/google/adk/tools/mcp_tool/mcp_tool.py\ntry:\n    return await super().run_async(args=args, tool_context=tool_context)\nexcept McpError as e:\n    logger.warning(\"MCP tool execution failed: %s\", e)\n    return {\"error\": f\"MCP tool execution failed: {e}\"}  # FAIL-OPEN\nexcept Exception as e:\n    return {\"error\": f\"Unexpected error: {e}\"}  # FAIL-OPEN\n```\n\n### Vercel AI SDK\n\n```typescript\n// packages/ai/src/generate-text/execute-tool-call.ts\ntry {\n    // ... tool execution ...\n} catch (error) {\n    const toolError = { type: 'tool-error', toolName, error };\n    return { output: toolError, toolExecutionMs };  // FAIL-OPEN\n}\n```\n\n### Haystack\n\n```python\n# haystack/components/agents/tool_calling.py _finalize_tool_result()\nif isinstance(result, ToolInvocationError):\n    if raise_on_failure:\n        raise result\n    logger.error(\"{error_exception}\", error_exception=result)\n    return ChatMessage.from_tool(tool_result=str(result), origin=tool_call, error=True)\n    # Error string fed to LLM as tool result \u2192 LLM may proceed on corrupted data\n```\n\n### OpenAI Swarm\n\n```python\n# swarm/core.py handle_tool_calls() \u2014 NO ERROR HANDLING AT ALL\nraw_result = function_map[name](**args)  # Exception propagates \u2192 agent crashes\nresult: Result = self.handle_function_result(raw_result, debug)\n# No try/except \u2192 single tool failure destroys entire agent run\n```\n\n## Attack Scenario (Universal)\n\n```\n1. Agent calls external tool (MCP server, API, database)\n2. Tool fails: timeout, malformed response, auth error, network issue\n3. Framework catches exception\n4. Error object returned as \"tool output\" (or exception propagates)\n5. Agent's LLM receives error where it expects valid data\n6. LLM either:\n   a. Treats error as valid \u2192 makes wrong decision\n   b. Retries tool \u2192 duplicate side effects (no idempotency guard)\n   c. Crashes \u2192 partial state committed, no rollback\n7. Consequence: financial loss, data corruption, security breach\n```\n\n## Root Cause Analysis\n\nThis is NOT a bug in any single framework. It is a **structural gap** in the Agent framework paradigm:\n\n1. **No output verification layer**: Tools return raw output. Frameworks accept it without cryptographic validation.\n2. **No fail-closed mechanism**: All frameworks continue execution after tool failure.\n3. **No idempotency at tool boundary**: Retries use request-level deduplication, not output-level.\n4. **No conformance proof**: No framework verifies Required(\u03c4) \u2286 Supported(\u03c4) before state mutation.\n\n## MCP Ecosystem Amplification\n\nThe MCP protocol makes this worse:\n- 150M+ downloads with systemic RCE vulnerabilities\n- 40.55% of public MCP servers: zero authentication\n- 100% of OAuth implementations defective\n- 10+ CVEs assigned \u2014 Anthropic calls it \"expected behavior\"\n\nWhen MCP tool servers are the source of failures, the fail-open pattern means:\n- Corrupted MCP output \u2192 accepted without verification\n- MCP server crash \u2192 error dict \u2192 agent proceeds\n- MCP auth failure \u2192 logged warning \u2192 agent continues with unvalidated data\n\n## The Fix: CCS (Cryptographic Compliance Standard)\n\nCCS v1.0 defines deterministic output verification for ALL agent frameworks:\n\n```python\nfrom correctover_ccs import CCSValidator\n\nvalidator = CCSValidator()\nresult = await call_tool(tool_name, args)\n\n# Cryptographic verification before state mutation\nverification = validator.verify(result, expected_schema)\nif not verification.conforms:\n    raise ToolOutputCorruptedError(verification.failure_reason)\n    # FAIL-CLOSED: block execution, do NOT continue\n```\n\n### Benchmark Results\n\n| Metric | Value |\n|--------|-------|\n| Failure modes tested | 540 |\n| Test cases | 20,299 |\n| Single-fault recovery | 97.4% |\n| Compound fault chain recovery | 72% |\n| P50 verification latency | 0.13 \u00b5s |\n| Throughput | 7.69M ops/sec |\n\nThe 25.4% gap between single-fault and compound-fault recovery quantifies exactly where fail-open cascades create damage.\n\n## Disclosure\n\n- 2026-07-09: Cross-framework analysis completed\n- 2026-07-09: Individual framework issues posted\n- 2026-07-09: Public disclosure (this document)\n- Coordination: Pending vendor responses\n\n## References\n\n- CVE-2026-55646: Microsoft AGT (CVSS 9.1) \u2014 https://gist.github.com/Correctover/9cfb97bcf374f79b793fd0bacd4e9d62\n- Google ADK Audit: https://gist.github.com/Correctover/dcf89533dd8acf055791178f2130e704\n- CCS Standard: https://doi.org/10.5281/zenodo.21234580\n- CCS SDK: https://github.com/Correctover/ccs-sdk\n\n---\n\nAuthor: Correctover\nLicense: CC BY 4.0\n", "creation_timestamp": "2026-07-09T15:09:36.016663Z"}