In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Missing Authentication for Critical Function vulnerabilities in an interactive lesson.
Start learningUpgrade @agenticmail/core to version 0.9.43 or higher.
@agenticmail/core is a Core SDK for AgenticMail — email, SMS, and phone call-control for AI agents
Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the handleBridgeMail process. An attacker can execute arbitrary operating system commands, read or write files, and exfiltrate data under the operator's OAuth identity by sending a crafted external email to the bridge inbox, which is processed without verifying the sender's authenticity and embeds attacker-controlled fields directly into a privileged agent session. This is only exploitable if a headless-bridge deployment is configured with a fresh host-session (<24h) and external mail is routed to the bridge inbox.