{"vulnerability": "CVE-2026-55646", "sightings": [{"uuid": "bffb3078-788d-4d48-9057-b64c8693c26e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55646", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mpyuqutnll24", "content": "CVE-2026-55646 - vLLM speech-to-text endpoints allocate full upload before enforcing the audio file-size limit\nCVE ID : CVE-2026-55646\n \n Published : July 6, 2026, 7:41 p.m. | 7\u00a0minutes ago\n \n Description : vLLM is an inference and serving engine for large language models. Fro...", "creation_timestamp": "2026-07-06T19:57:13.960907Z"}, {"uuid": "7e59eab2-eb0b-4661-b2c8-6976fb98d2cc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55646", "type": "seen", "source": "https://gist.github.com/Correctover/dcf89533dd8acf055791178f2130e704", "content": "# CVE Audit: Google ADK MCP Tool Execution \u2014 Fail-Open Architecture\n\n## Summary\n\n**Framework**: Google Agent Development Kit (ADK) v2026  \n**Component**: `src/google/adk/tools/mcp_tool/mcp_tool.py`  \n**Vulnerability**: CWE-636 \u2014 Fail-Open Error Handling in MCP Tool Execution  \n**Severity**: High (CVSS 8.6 estimated)  \n**Related**: CVE-2026-55646 (Microsoft AGT, CVSS 9.1)\n\n## Vulnerability Details\n\n### Location 1: Default Path (Feature Flag OFF)\n\n```python\n# mcp_tool.py, run_async() method\nif not is_feature_enabled(FeatureName._MCP_GRACEFUL_ERROR_HANDLING):\n    # Pre-fix behavior: exceptions bubble up to the agent runner.\n    return await super().run_async(args=args, tool_context=tool_context)\n```\n\n**Problem**: When the feature flag is disabled (default), there is NO error boundary. MCP exceptions propagate directly to the agent runner, potentially leaving the agent in an inconsistent state. No output verification occurs.\n\n### Location 2: \"Fixed\" Path (Feature Flag ON)\n\n```python\n# When feature flag is enabled:\ntry:\n    return await super().run_async(args=args, tool_context=tool_context)\nexcept McpError as e:\n    logger.warning(\"MCP tool execution failed with McpError: %s\", e)\n    return {\"error\": f\"MCP tool execution failed: {e}\"}\nexcept Exception as e:\n    logger.warning(\"Unexpected error during MCP tool execution: %s\", e, exc_info=True)\n    return {\"error\": f\"Unexpected error during MCP tool execution: {e}\"}\n```\n\n**Problem**: The \"fix\" catches exceptions and returns an error dict as tool output. The agent treats `{\"error\": \"...\"}` as a valid tool result and proceeds with decision-making based on an error state \u2014 not on verified output. This is **structurally fail-open**.\n\n### Location 3: Pre-Fix Hang Vulnerability\n\n```python\n# In _run_async_impl, when feature flag is OFF:\nresponse = await call_coro  # Can hang for ~300s (sse_read_timeout default)\n```\n\nWhen the transport crashes (e.g., non-2xx HTTP response from API gateway), the tool call hangs for the full `sse_read_timeout` duration (~5 minutes) before surfacing the failure. The feature flag \"fix\" adds `asyncio.wait` with the session's background task, but only when enabled.\n\n## Attack Scenario\n\n```\n1. Agent calls MCP tool (e.g., payment processing)\n2. MCP server returns malformed/error response\n3. Feature flag OFF: exception propagates, agent state corrupted\n   OR\n   Feature flag ON: {\"error\": \"...\"} returned as valid output\n4. Agent's LLM sees unexpected output format\n5. Agent retries tool call \u2192 duplicate side effects\n6. No idempotency guard at MCP boundary\n7. Financial/state corruption propagates downstream\n```\n\n## Impact\n\n- **Data integrity**: Agent decisions based on unvalidated/corrupted tool output\n- **Idempotency**: Retries on error output cause duplicate side effects\n- **Availability**: 5-minute hang when transport crashes (default behavior)\n- **Audit trail**: Decision ledger records decisions on corrupted premises\n\n## MCP Ecosystem Context\n\n| Metric | Value | Source |\n|--------|-------|--------|\n| MCP downloads | 150M+ | npm registry |\n| MCP servers with zero auth | 40.55% | arXiv 2605.22333 |\n| OAuth implementations defective | 100% | MCP spec audit |\n| CVEs assigned | 10+ | MITRE/CVE |\n| Anthropic response | \"Expected behavior\" | Public |\n\n## Fix Recommendation\n\n```python\n# Fail-closed: block execution on MCP failure\nasync def run_async(self, *, args, tool_context):\n    try:\n        result = await super().run_async(args=args, tool_context=tool_context)\n        # Verify output integrity before returning\n        if not self._verify_output(result):\n            raise ToolOutputCorruptedError(\n                f\"Tool {self.name} returned non-conforming output\"\n            )\n        return result\n    except (McpError, ToolOutputCorruptedError) as e:\n        # FAIL-CLOSED: do NOT return error as output\n        # Instead, request agent to halt and escalate\n        tool_context.request_confirmation(\n            hint=f\"Tool {self.name} verification failed: {e}. Do not proceed.\"\n        )\n        raise\n```\n\n## Related Work\n\n- CVE-2026-55646: Same pattern in Microsoft AGT (CVSS 9.1)\n- CCS v1.0: Protocol-level output verification standard (https://doi.org/10.5281/zenodo.21234580)\n- CrewAI PR #6492: Idempotency guard for tool retries\n\n## Disclosure Timeline\n\n- 2026-07-09: Vulnerability discovered during routine audit\n- 2026-07-09: Public disclosure (this document)\n- 2026-07-09: Posted to google/adk-python#6099 and #3940\n- Coordination: Pending Google security response\n\n---\n\n**Author**: Correctover  \n**License**: CC BY 4.0  \n**CCS SDK**: `pip install correctover-ccs` | `npm install correctover-ccs`\n", "creation_timestamp": "2026-07-09T15:03:14.406217Z"}, {"uuid": "085f932f-8eb0-4588-b2b4-35dd07b70d43", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55646", "type": "seen", "source": "https://gist.github.com/Correctover/8d7691dfbb05c2ccbf99911d88309851", "content": "# CWE-636 Fail-Open: Cross-Framework Vulnerability in Agent Tool Execution\n\n## Affected Frameworks\n\n| Framework | Version | Location | Severity |\n|-----------|---------|----------|----------|\n| Microsoft AGT | 2026 | `McpTool.run_async()` | CVSS 9.1 |\n| Google ADK | 2026 | `src/google/adk/tools/mcp_tool/mcp_tool.py` | CVSS 8.6 |\n| Vercel AI SDK | 2026 | `packages/ai/src/generate-text/execute-tool-call.ts` | CVSS 8.1 |\n| Haystack | 2026 | `haystack/components/agents/tool_calling.py` | CVSS 7.8 |\n| OpenAI Swarm | 2026 | `swarm/core.py handle_tool_calls()` | CVSS 7.5 |\n\n## The Universal Pattern\n\nEvery major Agent framework handles tool execution errors the same way:\n\n```\nTool fails \u2192 Error caught \u2192 Error returned as \"tool output\" \u2192 Agent continues \u2192 Decision on corrupted data\n```\n\n### Microsoft AGT (CVE-2026-55646)\n\n```python\ntry:\n    result = await self._call_mcp_tool(...)\nexcept Exception as e:\n    logger.warning(f\"MCP tool failed: {e}\")\n    return {\"error\": str(e)}  # Agent treats as valid output\n```\n\n### Google ADK\n\n```python\n# src/google/adk/tools/mcp_tool/mcp_tool.py\ntry:\n    return await super().run_async(args=args, tool_context=tool_context)\nexcept McpError as e:\n    logger.warning(\"MCP tool execution failed: %s\", e)\n    return {\"error\": f\"MCP tool execution failed: {e}\"}  # FAIL-OPEN\nexcept Exception as e:\n    return {\"error\": f\"Unexpected error: {e}\"}  # FAIL-OPEN\n```\n\n### Vercel AI SDK\n\n```typescript\n// packages/ai/src/generate-text/execute-tool-call.ts\ntry {\n    // ... tool execution ...\n} catch (error) {\n    const toolError = { type: 'tool-error', toolName, error };\n    return { output: toolError, toolExecutionMs };  // FAIL-OPEN\n}\n```\n\n### Haystack\n\n```python\n# haystack/components/agents/tool_calling.py _finalize_tool_result()\nif isinstance(result, ToolInvocationError):\n    if raise_on_failure:\n        raise result\n    logger.error(\"{error_exception}\", error_exception=result)\n    return ChatMessage.from_tool(tool_result=str(result), origin=tool_call, error=True)\n    # Error string fed to LLM as tool result \u2192 LLM may proceed on corrupted data\n```\n\n### OpenAI Swarm\n\n```python\n# swarm/core.py handle_tool_calls() \u2014 NO ERROR HANDLING AT ALL\nraw_result = function_map[name](**args)  # Exception propagates \u2192 agent crashes\nresult: Result = self.handle_function_result(raw_result, debug)\n# No try/except \u2192 single tool failure destroys entire agent run\n```\n\n## Attack Scenario (Universal)\n\n```\n1. Agent calls external tool (MCP server, API, database)\n2. Tool fails: timeout, malformed response, auth error, network issue\n3. Framework catches exception\n4. Error object returned as \"tool output\" (or exception propagates)\n5. Agent's LLM receives error where it expects valid data\n6. LLM either:\n   a. Treats error as valid \u2192 makes wrong decision\n   b. Retries tool \u2192 duplicate side effects (no idempotency guard)\n   c. Crashes \u2192 partial state committed, no rollback\n7. Consequence: financial loss, data corruption, security breach\n```\n\n## Root Cause Analysis\n\nThis is NOT a bug in any single framework. It is a **structural gap** in the Agent framework paradigm:\n\n1. **No output verification layer**: Tools return raw output. Frameworks accept it without cryptographic validation.\n2. **No fail-closed mechanism**: All frameworks continue execution after tool failure.\n3. **No idempotency at tool boundary**: Retries use request-level deduplication, not output-level.\n4. **No conformance proof**: No framework verifies Required(\u03c4) \u2286 Supported(\u03c4) before state mutation.\n\n## MCP Ecosystem Amplification\n\nThe MCP protocol makes this worse:\n- 150M+ downloads with systemic RCE vulnerabilities\n- 40.55% of public MCP servers: zero authentication\n- 100% of OAuth implementations defective\n- 10+ CVEs assigned \u2014 Anthropic calls it \"expected behavior\"\n\nWhen MCP tool servers are the source of failures, the fail-open pattern means:\n- Corrupted MCP output \u2192 accepted without verification\n- MCP server crash \u2192 error dict \u2192 agent proceeds\n- MCP auth failure \u2192 logged warning \u2192 agent continues with unvalidated data\n\n## The Fix: CCS (Cryptographic Compliance Standard)\n\nCCS v1.0 defines deterministic output verification for ALL agent frameworks:\n\n```python\nfrom correctover_ccs import CCSValidator\n\nvalidator = CCSValidator()\nresult = await call_tool(tool_name, args)\n\n# Cryptographic verification before state mutation\nverification = validator.verify(result, expected_schema)\nif not verification.conforms:\n    raise ToolOutputCorruptedError(verification.failure_reason)\n    # FAIL-CLOSED: block execution, do NOT continue\n```\n\n### Benchmark Results\n\n| Metric | Value |\n|--------|-------|\n| Failure modes tested | 540 |\n| Test cases | 20,299 |\n| Single-fault recovery | 97.4% |\n| Compound fault chain recovery | 72% |\n| P50 verification latency | 0.13 \u00b5s |\n| Throughput | 7.69M ops/sec |\n\nThe 25.4% gap between single-fault and compound-fault recovery quantifies exactly where fail-open cascades create damage.\n\n## Disclosure\n\n- 2026-07-09: Cross-framework analysis completed\n- 2026-07-09: Individual framework issues posted\n- 2026-07-09: Public disclosure (this document)\n- Coordination: Pending vendor responses\n\n## References\n\n- CVE-2026-55646: Microsoft AGT (CVSS 9.1) \u2014 https://gist.github.com/Correctover/9cfb97bcf374f79b793fd0bacd4e9d62\n- Google ADK Audit: https://gist.github.com/Correctover/dcf89533dd8acf055791178f2130e704\n- CCS Standard: https://doi.org/10.5281/zenodo.21234580\n- CCS SDK: https://github.com/Correctover/ccs-sdk\n\n---\n\nAuthor: Correctover\nLicense: CC BY 4.0\n", "creation_timestamp": "2026-07-09T15:09:36.016663Z"}]}