{"data":{"id":"0300cf16-2d47-4f20-bf0a-4d041e5afa29","title":"GHSA-fq4x-789w-jg5h: AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake)","summary":"AgenticMail has a security flaw where unauthenticated external emails can trigger a privileged Claude Code session with `permissionMode: 'bypassPermissions'` (a mode that removes safety restrictions). The email's sender address, subject, and preview are embedded directly into the AI's prompt without verification that the sender is the actual operator, allowing prompt injection (tricking the AI by hiding instructions in its input) that could lead to arbitrary code execution and file access under the operator's identity. A similar handler in the same codebase properly authenticates the sender, but the bridge-wake path does not.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-fq4x-789w-jg5h","publishedAt":"2026-06-18T17:21:27.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["prompt_injection"],"issueType":"vulnerability","affectedPackages":["@agenticmail/openclaw@< 0.5.71 (fixed: 0.5.71)","@agenticmail/codex@< 0.1.33 (fixed: 0.1.33)","@agenticmail/claudecode@< 0.2.39 (fixed: 0.2.39)","@agenticmail/core@< 0.9.43 (fixed: 0.9.43)"],"affectedVendors":["Anthropic"],"affectedVendorsRaw":["Anthropic","Claude Code","AgenticMail"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-06-18T17:21:27.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}