CVE-2026-1721 Overview
A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground's OAuth callback handler. The error_description query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the context of the victim's session. This vulnerability affects the Cloudflare Agents SDK and specifically impacts applications using the configureOAuthCallback function.
Critical Impact
Attackers can craft malicious links that, when clicked by victims, steal user chat message history and access connected MCP servers, potentially allowing unauthorized actions on the victim's behalf.
Affected Products
- Cloudflare Agents SDK (versions prior to agents@0.3.10)
- AI Playground OAuth callback handler
- Applications using configureOAuthCallback with custom error handling
Discovery Timeline
- 2026-02-13 - CVE CVE-2026-1721 published to NVD
- 2026-02-13 - Last updated in NVD database
Technical Details for CVE-2026-1721
Vulnerability Analysis
This Reflected XSS vulnerability exists in the OAuth callback handler implementation within site/ai-playground/src/server.ts. The vulnerability allows attackers to inject arbitrary JavaScript code that executes within the security context of an authenticated user's browser session.
When exploited, an attacker gains the ability to steal all LLM interactions stored in the user's session through access to chat message history. Additionally, the attacker can interact with any MCP (Model Context Protocol) servers connected to the victim's session, including both public and authenticated/private servers. This level of access enables the attacker to perform actions on the victim's behalf, potentially leading to data exfiltration or unauthorized operations within connected services.
Root Cause
The OAuth callback handler directly interpolated the authError value, sourced from the error_description query parameter, into an inline <script> tag without proper input sanitization or encoding. This implementation flaw allows user-controlled input to be rendered as executable JavaScript code rather than being treated as text content.
The vulnerable code path processes OAuth error responses by embedding the error description directly into client-side JavaScript, bypassing any output encoding that would prevent script injection.
Attack Vector
The attack is network-based and requires user interaction. An attacker must craft a malicious OAuth callback URL containing JavaScript code within the error_description parameter. When a victim clicks this link, typically delivered through phishing emails, social engineering, or compromised websites, the malicious JavaScript executes within the victim's authenticated session context.
The attack flow involves crafting a URL targeting the OAuth callback endpoint with a payload injected into the error_description parameter. When processed, the backend interpolates this value directly into a <script> tag, causing the browser to execute the attacker's JavaScript with full access to the victim's session data and connected services.
Detection Methods for CVE-2026-1721
Indicators of Compromise
- Suspicious OAuth callback requests containing JavaScript syntax in the error_description parameter
- Unusual patterns in URL parameters including <script>, javascript:, or encoded equivalents
- Unexpected outbound connections following OAuth error callbacks
- Anomalous access patterns to MCP server endpoints from user sessions
Detection Strategies
- Implement web application firewall (WAF) rules to detect XSS payloads in OAuth callback parameters
- Monitor application logs for OAuth error callbacks containing HTML/JavaScript special characters
- Deploy client-side XSS detection mechanisms to identify DOM manipulation attempts
- Review network traffic for data exfiltration patterns following OAuth callback processing
Monitoring Recommendations
- Enable verbose logging for the OAuth callback handler to capture all parameter values
- Implement Content Security Policy (CSP) violation reporting to detect injection attempts
- Monitor for unusual session activity following OAuth error states
- Track access patterns to chat history and MCP server endpoints for anomalies
How to Mitigate CVE-2026-1721
Immediate Actions Required
- Upgrade to agents@0.3.10 or later immediately
- Review any custom implementations using configureOAuthCallback for similar vulnerabilities
- Implement input validation and output encoding for all user-controlled parameters
- Deploy Content Security Policy headers to mitigate XSS impact
Patch Information
Cloudflare has released a security fix addressing this vulnerability. The patch is available in GitHub Pull Request #841. Users of the agents-sdk should upgrade to version agents@0.3.10 or later to remediate this vulnerability.
Developers who have implemented custom error handling using configureOAuthCallback in their own applications should review their code to ensure all user-controlled input is properly escaped before interpolation into HTML or JavaScript contexts.
Workarounds
- Implement server-side validation to reject OAuth callback requests containing suspicious characters in query parameters
- Deploy a WAF rule to block requests with potential XSS payloads targeting the OAuth callback endpoint
- Add Content Security Policy headers with script-src restrictions to prevent inline script execution
- Consider temporarily disabling custom OAuth error messaging until the patch can be applied
# Upgrade agents-sdk to patched version
npm update agents@0.3.10
# Or install specific version
npm install agents@0.3.10 --save
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
