CVSS Score: 6.2 Published: 2026-02-13 Full Report: https://cvereports.com/reports/GHSA-W5CR-2QHR-JQC5
In the rush to connect Large Language Models (LLMs) to the real world via the Model Context Protocol (MCP), developers often overlook the plumbing. CVE-2026-1721 is a classic Reflected Cross-Site Scripting (XSS) vulnerability found in the Cloudflare Agents SDK's OAuth callback handler. By abusing how error messages are serialized into HTML, attackers could hijack a developer's session, stealing sensitive AI chat logs and potentially commanding connected agents to perform unauthorized actions.
The Cloudflare Agents SDK used JSON.stringify() to render OAuth error messages directly inside an HTML <script> tag. Since this function doesn't escape forward slashes, attackers could close the script block with </script> and inject malicious JavaScript. This grants full access to the AI Playground session.
- CWE ID: CWE-79
- CVSS Score: 6.2 (Medium)
- Attack Vector: Network
- User Interaction: Required (Clicking Link)
- Impact: Session Hijacking / Data Exfiltration
- Exploit Status: Proof of Concept (PoC) Available
- Cloudflare Agents SDK (< 0.3.10)
- Cloudflare AI Playground
- Applications implementing MCP Client with default OAuth callbacks
- cloudflare/agents: < 0.3.10 (Fixed in:
0.3.10)
- Input Sanitization: Use libraries like
escape-htmlorheto sanitize data before rendering. - Context-Aware Output Encoding: Understand the difference between JavaScript string escaping and HTML entity encoding.
- Architecture Change: Avoid reflecting input in the OAuth callback page entirely; use session state or nonces.
Remediation Steps:
- Update
cloudflare/agentsSDK to version0.3.10or higher. - Audit any custom OAuth callback handlers in your own applications for similar
JSON.stringifyusage patterns inside<script>tags. - Implement Content Security Policy (CSP) headers to restrict inline script execution.
Generated by CVEReports - Automated Vulnerability Intelligence