GHSA-xq7h-vwjp-5vrh: @grackle-ai/powerline Runs Without Authentication by Default
Summary
The PowerLine gRPC server (a service that runs code through remote procedure calls, which is a way for programs to request actions from each other over a network) from @grackle-ai/powerline runs without any authentication by default when a token is not provided, allowing anyone who can reach the server to execute code and access credentials. Although the server only listens on localhost (127.0.0.1, the local machine) by default, it becomes critically dangerous if accidentally exposed on a network through containers or port forwarding.
Solution / Mitigation
Update to version 0.70.1, which changes the behavior to require an explicit `--no-auth` flag to intentionally run without authentication, rather than silently defaulting to no auth. The fix throws an error if the server starts without a token and without the `--no-auth` flag. As a workaround for earlier versions, always provide `--token` or set the `GRACKLE_POWERLINE_TOKEN` environment variable when starting PowerLine.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-xq7h-vwjp-5vrh
First tracked: March 25, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%