Anonymous Intelligence Signal

Critical Approval Bypass in check_dangerous_command Exposes AI Agent Deployments to Silent Command Execution

human The Network unverified 2026-05-03 13:54:08 Source: GitHub Issues

A CVSS 7.7 security flaw has been identified in the approval system used by AI agent tooling, allowing dangerous commands to be silently auto-approved when environment detection fails. The vulnerability, residing in `check_dangerous_command()` within `tools/approval.py`, returns `{approved: True}` by default when neither CLI nor gateway mode can be detected โ€” a condition that occurs in the standard configuration state. This effectively neutralizes the safety gate for all agent-initiated operations in affected deployments, raising the risk of unauthorized file deletion, network requests, and credential access.

The flaw emerges from how the function determines its operating mode. It relies on environment variables `KAI_INTERACTIVE`/`HERMES_INTERACTIVE` (for CLI mode) and `KAI_GATEWAY_SESSION`/`HERMES_GATEWAY_SESSION` (for gateway mode) to decide whether to apply approval checks. When none of these variables are set โ€” the out-of-the-box default โ€” the function assumes safety and auto-approves every operation. This behavior is particularly problematic in non-interactive deployment environments such as E2B sandboxes, Docker containers, and CI pipelines, where the approval system was designed to provide an additional layer of control but instead offers zero protection.

The fix implements a default-deny policy: when the environment is ambiguous, the function now returns `approved: false` alongside a clear blocking message and generates a `logger.warning()` entry for audit purposes. The patch also corrects duplicate environment variable checks in four locations. Organizations running agent tooling in containerized or automated environments should verify their deployments are updated to the patched version, as any prior release carries the silent bypass risk.

Sector: the_lab
Entity: check_dangerous_command (tools/approval.py)
Confidence: 92
Tags: ["security", "vulnerability", "approval-bypass", "CVSS-7.7", "AI-agents", "container-security", "default-deny"]
Geo scope: global
Time sensitivity: developing

Back to Feed JSON CSV Export