GHSA-2r2p-4cgf-hv7h: engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection

The local HTTP server started by engram server (binding 127.0.0.1:7337 by default) was exposed to any browser origin with no authentication unless ENGRAM_API_TOKEN was explicitly set. Combined with Access-Control-Allow-Origin: * on every response and a body parser that did not require Content-Type: application/json, this allowed a malicious web page the developer visited to:

1. Exfiltrate the local knowledge graph via GET /query and GET /stats (function names, file layout, recorded decisions/mistakes).
2. Inject persistent prompt-injection payloads via POST /learn, which wrote mistake/decision nodes that were later surfaced as system-reminders to the user’s AI coding agent on every future session and file edit.

Severity: High — confidentiality + persistent indirect prompt injection against the user’s coding agent.