CVE-2026-30970 is a vulnerability classified under CWE-862 (Missing Authorization) affecting Coral-Protocol's coral-server prior to version 1.1.0. The flaw resides in the /api/v1/sessions REST API endpoint, which allows creation of agent sessions without enforcing strong authentication or authorization checks. This endpoint initiates resource-intensive operations such as spawning containers and creating memory contexts for each session. Because no authentication or user interaction is required, an attacker with network access to this endpoint can repeatedly create sessions, leading to resource exhaustion and potential denial of service (DoS). The vulnerability is critical because it impacts availability severely and can be exploited remotely with low complexity. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N) reflects that the attack requires no privileges or user interaction, has network attack vector, and causes high impact on integrity and availability. The vulnerability was publicly disclosed on March 10, 2026, and fixed in coral-server version 1.1.0. No public exploits are known yet, but the risk remains high for organizations running vulnerable versions, especially those deploying Coral Server as part of Internet of Agents infrastructure, which facilitates communication, coordination, trust, and payments among autonomous agents.

The primary impact of this vulnerability is on system availability due to the potential for resource exhaustion. An attacker can repeatedly create agent sessions without authorization, causing excessive consumption of CPU, memory, and container resources. This can degrade performance or crash the coral-server instance, disrupting services dependent on the Internet of Agents infrastructure. Additionally, unauthorized session creation could undermine trust and coordination mechanisms if attackers manipulate session states or flood the system with bogus agents. Organizations relying on coral-server for critical IoT or agent-based applications may experience service outages, operational disruption, and potential cascading failures in connected systems. The vulnerability does not directly expose confidential data but poses a significant risk to system integrity and availability, which can have severe operational and financial consequences.

The primary mitigation is to upgrade coral-server to version 1.1.0 or later, where the missing authorization check on the /api/v1/sessions endpoint has been implemented. Until upgrade is possible, organizations should restrict network access to the vulnerable API endpoint using firewalls or network segmentation to limit exposure to trusted users only. Implementing strong authentication and authorization proxies in front of the API can help prevent unauthorized session creation. Monitoring and alerting on unusual session creation rates or resource usage spikes can provide early detection of exploitation attempts. Additionally, applying rate limiting or throttling on the /api/v1/sessions endpoint can reduce the risk of resource exhaustion. Regularly auditing and reviewing access logs for suspicious activity related to session creation is recommended. Finally, organizations should incorporate this vulnerability into their incident response plans to quickly address potential exploitation.