Network-AI
Release

v5.13.4 - Security: ApprovalInbox + APSAdapter fail-closed fixes

Published 2026-07-05 | Release notes

The v5.12.2 secret / checkAuth() gate covered only the two mutating routes (POST /approve, POST /deny), leaving GET /, GET /stats, GET /sse, and GET /:id unauthenticated even when a secret was configured, disclosing queu

Read the release here or open the original release on GitHub.

Security Fixes

GHSA-m4jg-6w3q-gm86 — ApprovalInbox read routes unauthenticated + wildcard CORS (High, CWE-862, CWE-352)

The v5.12.2 secret / checkAuth() gate covered only the two mutating routes (POST /approve, POST /deny), leaving GET /, GET /stats, GET /sse, and GET /:id unauthenticated even when a secret was configured, disclosing queued high-risk action content. The handler also hardcoded Access-Control-Allow-Origin: *.

Fixed:

  • checkAuth() now gates the entire routeRequest() pipeline before route dispatch, covering every route uniformly.
  • Removed the hardcoded wildcard CORS header; added allowedOrigins?: string[] option on ApprovalInboxOptions — no CORS header is sent unless the request Origin exactly matches an allowlisted entry.

Reported by sec-reex via private security advisory.

GHSA-3jf7-33vc-hgf4 — APSAdapter default local verifier accepts any non-empty signature (High, CWE-347, CVSS 8.6)

With the default verificationMode: 'local' and no caller-supplied verifySignature callback (the documented canonical setup), verifyDelegation() treated any non-empty string as a valid cryptographic signature, allowing a forged delegation to obtain a signed SHELL_EXEC permission-grant token with no authentication.

Fixed:

  • initialize() now throws if verificationMode is local (the default) and no verifySignature callback is configured.
  • verifyDelegation()'s fallback now returns false instead of a length check, failing closed as defense in depth.

Also fixed

  • SkillSpector Intent-Code Divergence in scripts/blackboard.py header comment (env-scoped data dir I/O documentation).

Testing: 3,388/3,388 tests passing across 38 suites, tsc --noEmit clean.

Release FAQ

Fast answers for operators and answer engines.

What changed in v5.13.4?

The v5.12.2 secret / checkAuth() gate covered only the two mutating routes (POST /approve, POST /deny), leaving GET /, GET /stats, GET /sse, and GET /:id unauthenticated even when a secret was configured, disclosing queu

When was v5.13.4 published?

v5.13.4 was published on Jul 5, 2026.

Continue evaluating

Cross-check the release signals.

Use the changelog, benchmark notes, and security policy together to validate that the release story lines up with public maintenance discipline.

Changelog Benchmarks Security