Missing Authentication for Critical Function in @grackle-ai/powerline

Q: How to fix?

Upgrade @grackle-ai/powerline to version 0.70.1 or higher.

Introduced: 25 Mar 2026

How to fix?

Upgrade @grackle-ai/powerline to version 0.70.1 or higher.

Overview

@grackle-ai/powerline is a gRPC PowerLine server for Grackle AI agent integration

Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the PowerLine gRPC server when when --token is not provided and GRACKLE_POWERLINE_TOKEN is not set. An attacker can gain unauthorized access, spawn agent sessions, retrieve credential tokens, and execute arbitrary code by connecting to the exposed service. This is only exploitable if the service is bound to a non-localhost interface or is otherwise accessible from outside the local machine.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Missing Authentication for Critical Function Affecting @grackle-ai/powerline package, versions <0.70.1

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 25 Mar 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk