Origin Validation Error Affecting @grackle-ai/server package, versions <0.70.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-GRACKLEAISERVER-15840352
- published30 Mar 2026
- disclosed25 Mar 2026
- creditUnknown
Introduced: 25 Mar 2026
New CVE NOT AVAILABLE CWE-346 (opens in a new tab)How to fix?
Upgrade @grackle-ai/server to version 0.70.3 or higher.
Overview
@grackle-ai/server is a Grackle server orchestrator — spawns and wires core (gRPC), web-server (HTTP), MCP, and PowerLine
Affected versions of this package are vulnerable to Origin Validation Error via the connection handler process. An attacker can gain unauthorized access to real-time session data by initiating a cross-origin WebSocket connection using a malicious webpage while a valid session is active. This is only exploitable if the server is accessible on a network interface other than 127.0.0.1 or if the user is tricked into visiting a malicious site while authenticated.
Workaround
This vulnerability can be mitigated by ensuring the server is only accessible on 127.0.0.1 and avoiding the use of --allow-network in untrusted environments.