CVE-2026-1664: Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing

February 3, 2026

An Insecure Direct Object Reference (CWE-639) has been found to exist in createHeaderBasedEmailResolver() function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation or origin checks, allowing an external attacker with control of these headers to route inbound mail to arbitrary Durable Object instances and namespaces.

References

github.com/advisories/GHSA-r7x9-8ph7-w8cg
github.com/cloudflare/agents
github.com/cloudflare/agents/blob/main/docs/email.md
github.com/cloudflare/agents/security/advisories/GHSA-r7x9-8ph7-w8cg
nvd.nist.gov/vuln/detail/CVE-2026-1664

Code Behaviors & Features

Detect and mitigate CVE-2026-1664 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →