VAPTCoordinated vulnerability disclosure platformResearcher recognition, vendor coordination, and CVE support
LoginRequest CVE
CRITICAL Vulnerability

CVE-2026-12644

Agent enrollment token reuse in hybrid automation fleet

A provisioning flaw allowed previously issued enrollment tokens to be replayed during bootstrap, leading to unauthorized agent registration in specific hybrid deployments.

CVECVE-2026-12644
TitleAgent enrollment token reuse in hybrid automation fleet
Case NumberVAPT-2026-00001
Status
Published
Credits
  • Dr. Elias Thorne (finder)
Affected products
ProductAffectedUnaffectedUnknown
Thorne Security Labs VAPT Hybrid Agent 2.6 to 2.8 before build 2.8.4VAPT Hybrid Agent 2.6.0 through 2.8.3VAPT Hybrid Agent 2.8.4 and laterUnknown
CVSS
Base score9.8 - CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
ScopeCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH
References
Problem type(s)
CWE / Problem TypeMITRE TacticsMITRE Techniques
    		Not mappedNot mapped
    Date publishedMar 11, 2026
    Last modifiedApr 10, 2026, 13:43 UTC

    Description

    Bootstrap enrollment tokens remained reusable after expected expiry windows in specific hybrid provisioning paths. An attacker with captured bootstrap material could replay enrollment and register an unauthorized agent inside the telemetry trust domain.

    Known Detection Rules

    No authenticated YARA, Sigma, or KQL detection content is attached to this CVE.

    References

    JSON Version