Security Vulnerability Report - GenericAgent
Vulnerability Details
|---|---|
| Type | Unauthorized API Access |
| Severity | High |
| Version | v1.0.0 - v1.0.4 |
| Date | 2026-04-24 |
Description
TMWebDriver API endpoints (ports 18765/18766) lack authentication. Anyone can access these ports to:
- Get all browser sessions
- Execute arbitrary JavaScript
- Control browser operations
POC
curl -X POST http://127.0.0.1:18766/link -H "Content-Type: application/json" -d '{"cmd": "get_all_sessions"}'
Result
Status: 200
Response: {"r": []}
No authentication required!
Impact
If exposed publicly, anyone can control the browser agent and execute arbitrary JavaScript.
Fix Recommendation
1. Add API Key authentication
2. Add IP whitelist
3. Add session validation
---
Reported by: Rant yang
[SECURITY_REPORT_EN.md](https://github.com/user-attachments/files/27049565/SECURITY_REPORT_EN.md)
<img width="1015" height="323" alt="Image" src="https://github.com/user-attachments/assets/f707ade2-6517-4b9a-b4b2-ce548f454f6b" />
[test_vuln.py](https://github.com/user-attachments/files/27049584/test_vuln.py)
[poc_result.json](https://github.com/user-attachments/files/27049587/poc_result.json)
Security Vulnerability Report - GenericAgent
Vulnerability Details
|---|---|
| Type | Unauthorized API Access |
| Severity | High |
| Version | v1.0.0 - v1.0.4 |
| Date | 2026-04-24 |
Description
TMWebDriver API endpoints (ports 18765/18766) lack authentication. Anyone can access these ports to:
POC