{"data":{"id":"4650a91a-07f2-4d60-8672-141559874fea","title":"GHSA-xq7h-vwjp-5vrh: @grackle-ai/powerline Runs Without Authentication by Default","summary":"The PowerLine gRPC server (a service that runs code through remote procedure calls, which is a way for programs to request actions from each other over a network) from @grackle-ai/powerline runs without any authentication by default when a token is not provided, allowing anyone who can reach the server to execute code and access credentials. Although the server only listens on localhost (127.0.0.1, the local machine) by default, it becomes critically dangerous if accidentally exposed on a network through containers or port forwarding.","solution":"Update to version 0.70.1, which changes the behavior to require an explicit `--no-auth` flag to intentionally run without authentication, rather than silently defaulting to no auth. The fix throws an error if the server starts without a token and without the `--no-auth` flag. As a workaround for earlier versions, always provide `--token` or set the `GRACKLE_POWERLINE_TOKEN` environment variable when starting PowerLine.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-xq7h-vwjp-5vrh","publishedAt":"2026-03-25T17:30:46.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":["@grackle-ai/powerline@<= 0.70.0 (fixed: 0.70.1)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["Grackle AI","@grackle-ai/powerline"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-03-25T17:30:46.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}