GHSA-xq7h-vwjp-5vrh: @grackle-ai/powerline Runs Without Authentication by Default
Summary
The PowerLine gRPC server (a service that runs code through remote procedure calls, which is a way for programs to request actions from each other over a network) from @grackle-ai/powerline runs without any authentication by default when a token is not provided, allowing anyone who can reach the server to execute code and access credentials. Although the server only listens on localhost (127.0.0.1, the local machine) by default, it becomes critically dangerous if accidentally exposed on a network through containers or port forwarding.
Solution / Mitigation
Update to version 0.70.1, which changes the behavior to require an explicit `--no-auth` flag to intentionally run without authentication, rather than silently defaulting to no auth. The fix throws an error if the server starts without a token and without the `--no-auth` flag. As a workaround for earlier versions, always provide `--token` or set the `GRACKLE_POWERLINE_TOKEN` environment variable when starting PowerLine.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://github.com/advisories/GHSA-xq7h-vwjp-5vrh
First tracked: March 25, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%