CVE-2026-30969 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Coral-Protocol's coral-server prior to version 1.1.0. Coral Server is an open collaboration infrastructure designed to facilitate communication, coordination, trust, and payments among agents in the Internet of Agents ecosystem. The vulnerability stems from the server's failure to enforce strong authentication between agents and the server during active sessions. Specifically, if an attacker can obtain or predict a valid session identifier, they can impersonate an agent or join an existing session without proper authorization. This bypass occurs because the session identifier acts as a user-controlled key that the server trusts without additional verification. The vulnerability has a CVSS 4.0 base score of 7.6, indicating high severity, with attack vector network (AV:N), high attack complexity (AC:H), no privileges required (PR:L), no user interaction (UI:N), and high impact on confidentiality and integrity (VC:H, VI:H). No known exploits are currently reported in the wild. The issue was addressed and fixed in coral-server version 1.1.0 by enforcing stronger authentication mechanisms within active sessions to prevent session hijacking and unauthorized access.

The vulnerability allows attackers to impersonate legitimate agents or join active sessions by exploiting predictable or leaked session identifiers. This can lead to unauthorized access to sensitive communications, coordination data, and potentially financial transactions within the Internet of Agents infrastructure. The confidentiality and integrity of agent interactions are at risk, potentially enabling data leakage, manipulation of coordination processes, or fraudulent payments. Organizations relying on coral-server for critical agent collaboration may face operational disruptions, loss of trust, and financial damage. Given the network-based attack vector and no requirement for user interaction, exploitation could be automated and scalable if session identifiers are weak or exposed. The lack of known exploits suggests limited current impact, but the vulnerability presents a significant risk if leveraged by attackers targeting ecosystems using coral-server.

Organizations should immediately upgrade coral-server to version 1.1.0 or later, where the vulnerability is fixed by enforcing strong authentication within active sessions. Until upgrading, implement network-level protections such as restricting access to coral-server endpoints via firewalls or VPNs to trusted agents only. Monitor session identifiers for anomalies and consider implementing additional session management controls like rotating session tokens frequently and using cryptographically secure random session IDs. Conduct audits of session handling and authentication logic to ensure no other bypasses exist. Educate developers and administrators about the importance of strong session authentication and the risks of predictable session identifiers. Employ intrusion detection systems to identify unusual session activity that may indicate exploitation attempts. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.