BACK TO SEARCH
vizi2000/borgoscritical
AI-First Multi-Agent Operating System with Zenith Coder, Agent Zero, and MCP Integration
BorgOS is an AI-first multi-agent operating system that integrates multiple AI agents (Agent Zero, Zenith Coder) with MCP (Model Context Protocol) to ...
purpose: BorgOS is an AI-first multi-agent operating systemthreat: network exposed
RISK SCORE
0/ 100 risk
low findings+5
high findings+100
medium findings+60
critical findings+40
capped at100
VULNERABILITY ANALYSIS · 10 findings in 10 blocks5 HIGH · 4 MEDIUM
CRITICAL1 finding
core/mcp_server.py:356
356 async def tool_execute_command(self, command: str, working_dir: Optional[str] = None) -> Dict[str, Any]:
357 """Execute system command"""
358 import subprocess
359
360 try:
361 result = subprocess.run(
362 command,
363 shell=True,
364 cwd=working_dir,
365 capture_output=True,
366 text=True,
367 timeout=30
368 )
369 ...core/mcp_server.py:356
// Network-exposed MCP server allows remote attackers to execute arbitrary commands.
EXPLAINThe `execute_command` MCP tool accepts an arbitrary `command` string and executes it via `subprocess.run` with `shell=True`. There is no validation, sanitization, or restriction on which commands can be run. The tool is exposed through the MCP server and can be invoked by any authenticated user (or unauthenticated if no auth is enforced).
IMPACTAn attacker can execute arbitrary system commands on the BorgOS server, leading to full compromise, data exfiltration, or lateral movement.
FIXRemove the `execute_command` tool entirely, or restrict it to a whitelist of safe commands with strict input validation. Avoid using `shell=True` and instead use a list of arguments.
HIGH1 finding
core/mcp_server.py:68
68 "execute_command": {
69 "description": "Execute a system command",
70 "parameters": {
71 "command": {"type": "string", "required": True},
72 "working_dir": {"type": "string", "required": False}
73 },
74 "handler": self.tool_execute_command
75 },core/mcp_server.py:68
// Network-exposed MCP server allows remote attackers to execute arbitrary commands.
EXPLAINThe MCP server exposes an `execute_command` tool that allows executing arbitrary system commands. This goes far beyond the intended purpose of project management and deployment automation. The tool is registered and accessible via the MCP query endpoint.
IMPACTAny user or AI agent with access to the MCP server can execute arbitrary commands on the host system, leading to full compromise.
FIXRemove the `execute_command` tool. If command execution is absolutely necessary, restrict it to a whitelist of safe commands with strict input validation.
HIGH1 finding
webui/app.py:138
138 if request.method == 'POST':
139 query = request.form.get('q', '')
140 if query:
141 try:
142 result = subprocess.run(
143 ['/opt/borgos/env/bin/python3', '/usr/local/bin/borg', query],
144 capture_output=True,
145 text=True,
146 timeout=30
147 )
148 output = result.stdout or result.stderr
149 except subprocess.TimeoutExpired:
150 output = "Command timed out after 30 seconds"
151 except Exception as e:
152 output = f"Error: {str(e)}"webui/app.py:138
// Network-exposed web dashboard allows remote attackers to inject commands.
EXPLAINThe web dashboard accepts user input via a form field `q` and passes it directly as an argument to a subprocess call. While the command itself is fixed, the `query` string is passed as an argument to the `borg` script, which may interpret it unsafely. Additionally, the `borg` CLI (borg_cli.py) does not sanitize input and may execute arbitrary commands via shell injection if the underlying implementation uses `shell=True` or unsafe parsing.
IMPACTAn attacker can inject additional commands or arguments, potentially leading to arbitrary code execution on the server.
FIXSanitize and validate user input. Avoid passing user input directly to subprocess calls. Use parameterized APIs or restrict input to a predefined set of safe queries.
HIGH1 finding
webui/app.py:167
167 data = request.json
168 query = data.get('query', '')
169
170 if not query:
171 return jsonify({'error': 'No query provided'}), 400
172
173 try:
174 result = subprocess.run(
175 ['borg', query],
176 capture_output=True,
177 text=True,
178 timeout=30
179 )
180 return jsonify({
181 'query': query,
182 'response': result.stdout,
183 'error': result.stderr if result.returncode != 0 else None
184 })webui/app.py:167
// Network-exposed API allows remote attackers to inject commands.
EXPLAINThe `/api/query` endpoint accepts a JSON payload with a `query` field and passes it directly as an argument to the `borg` command. This is similar to the form-based injection but accessible via API, making it easier to exploit programmatically.
IMPACTAn attacker can execute arbitrary commands on the server by crafting malicious `query` strings.
FIXRemove the API endpoint or implement strict input validation. Avoid passing user input directly to subprocess calls.
HIGH1 finding
core/agent_zero_integration.py:106
106 async def start_agent(self, config: Optional[Dict[str, Any]] = None) -> bool:
107 ...
108 cmd = [
109 sys.executable,
110 str(self.agent_zero_dir / "run_ui.py"),
111 "--port", str(self.agent_port)
112 ]
113
114 logger.info(f"Starting Agent Zero on port {self.agent_port}...")
115 self.agent_process = subprocess.Popen(
116 cmd,
117 cwd=str(self.agent_zero_dir),
118 stdout=subprocess.PIPE,
119 stderr=subprocess.PIPE
120 )core/agent_zero_integration.py:106
// Network-exposed API allows attackers to trigger agent start/stop, potentially leading to code execution.
EXPLAINThe `start_agent` method uses `subprocess.Popen` to start an external process. While the command itself is hardcoded, the `agent_port` is derived from a configurable attribute. If an attacker can influence the configuration (e.g., via the API), they could inject arguments. More critically, the `execute_task` method (line 190) imports and runs arbitrary code from the Agent Zero directory, which could be malicious if the path is tampered with.
IMPACTAn attacker could potentially execute arbitrary code by manipulating the Agent Zero configuration or directory.
MEDIUM1 finding
core/main.py:117
117 def setup_middleware(self):
118 self.app.add_middleware(
119 CORSMiddleware,
120 allow_origins=["*"],
121 allow_credentials=True,
122 allow_methods=["*"],
123 allow_headers=["*"],
124 )core/main.py:117
// Network-exposed API without authentication allows anyone to access all functionality.
EXPLAINThe FastAPI application has CORS configured to allow all origins, methods, and headers. More importantly, there is no authentication or authorization middleware applied to any endpoint. All API endpoints (including project creation, deployment, agent task execution, and MCP queries) are accessible without any authentication.
IMPACTAn attacker can access all API functionality without authentication, including creating projects, deploying services, executing commands, and interacting with AI agents.
FIXImplement authentication (e.g., API keys, JWT) and authorization checks on all endpoints. Restrict CORS to trusted origins.
MEDIUM1 finding
core/main.py:558
558 @app.websocket("/ws")
559 async def websocket_endpoint(websocket: WebSocket):
560 await self.websocket_manager.connect(websocket)
561 try:
562 while True:
563 data = await websocket.receive_text()
564 # Echo back for now
565 await websocket.send_text(f"Echo: {data}")
566 except WebSocketDisconnect:
567 self.websocket_manager.disconnect(websocket)core/main.py:558
// Network-exposed WebSocket without authentication allows information disclosure.
EXPLAINThe WebSocket endpoint at `/ws` accepts connections without any authentication. While it currently only echoes messages, the WebSocket manager broadcasts system events (project creation, deployments, errors) to all connected clients, potentially leaking sensitive information.
IMPACTAn attacker can connect to the WebSocket and receive real-time updates about system events, including project details and error logs.
FIXImplement authentication for WebSocket connections. Validate tokens or session IDs before accepting connections.
MEDIUM1 finding
core/main.py:129
129 self.db_pool = await asyncpg.create_pool(
130 host=os.getenv("DB_HOST", "postgres"),
131 port=int(os.getenv("DB_PORT", 5432)),
132 database=os.getenv("DB_NAME", "borgos"),
133 user=os.getenv("DB_USER", "borgos"),
134 password=os.getenv("DB_PASSWORD", "borgos123"),
135 min_size=10,
136 max_size=20
137 )core/main.py:129
// Network-exposed database or environment variable leakage could lead to credential exposure.
EXPLAINThe database password defaults to `borgos123` if the environment variable `DB_PASSWORD` is not set. This hardcoded default password is weak and could be exploited if the database is exposed or if an attacker gains access to the environment.
IMPACTAn attacker could connect to the PostgreSQL database using the default credentials, potentially accessing or modifying all stored data.
FIXRemove the hardcoded default password. Require the `DB_PASSWORD` environment variable to be set to a strong, unique password. Use secrets management.
MEDIUM1 finding
core/agent_zero_integration.py:60
60 def create_default_env(self):
61 """Create default .env file for Agent Zero"""
62 env_content = """
63# Agent Zero Configuration for BorgOS
64
65# API Keys (will be managed by BorgOS)
66OPENAI_API_KEY=
67ANTHROPIC_API_KEY=
68GROQ_API_KEY=
69OPENROUTER_API_KEY=
70GOOGLE_API_KEY=
71...core/agent_zero_integration.py:60
// Local file exposure could leak API keys if the .env file is readable.
EXPLAINThe `create_default_env` method creates a `.env` file with placeholder API keys. If this method is called and the file is created with empty keys, it may lead to confusion. More importantly, if the file is later populated with real keys, they could be exposed if the file permissions are not restrictive or if the file is accessible via the web server.
IMPACTAn attacker could read the `.env` file and obtain API keys for various AI services, leading to unauthorized usage and potential financial loss.
FIXDo not create default .env files with placeholder keys. Use environment variables exclusively and ensure proper file permissions.
LOW1 finding
scripts/server.js:27
27const OLLAMA_HOST = process.env.OLLAMA_HOST || 'http://localhost:11434';scripts/server.js:27
// Requires control over environment variables, which is unlikely in normal deployment but possible if the attacker has local access.
EXPLAINThe `OLLAMA_HOST` environment variable is used to construct URLs for API requests to Ollama. If an attacker can control this environment variable (e.g., via a compromised configuration), they could make the server send requests to arbitrary hosts, potentially leading to SSRF.
IMPACTAn attacker could use the server as a proxy to scan internal networks or access internal services.
FIXValidate and sanitize the `OLLAMA_HOST` environment variable. Restrict it to a whitelist of allowed hosts or use a fixed internal address.
◷ 5/21/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.