CVE-2025-69443: Archon OS Vulnerable To Unauthenticated Web-To-Client Attack

GitHub’s trending repository of the day has an unprotected backend that puts OpenAI, Grok, and Google API keys within reach of any malicious web page

TL;DR

• Severity: High
• Affected Versions: 0.1.0 through 0.3.11 (all versions up to latest)
• Fixed Version: None
• Impact: Exposure of API keys and private information; unauthorized remote command execution

Overview

OX researchers discovered CVE-2025-69443, a critical vulnerability in Archon OS that allows a malicious web page to cross web-to-client boundaries via an unauthenticated network request. Exploitation enables extraction of sensitive environment variables — including API keys for OpenAI, Grok, and Google — and arbitrary command execution on the server UI, allowing an attacker to act fully on the user’s behalf.

With over 21,200 GitHub stars and 3,200 forks, Archon is one of the most widely adopted open-source hubs for AI context engineering and agent orchestration. Its role as a central command layer for AI coding workflows makes this vulnerability a significant threat to the developer and research communities relying on it.

What We Found

Archon OS is an AI-powered project and knowledge management platform that lets AI agents access tasks, documentation, and workflows via its MCP interface. It is open source and can be downloaded from GitHub.

During our research, we found that user-defined configurations — including API keys — can be accessed by any malicious website via localhost, crossing from web to client. Archon’s UI port implements CORS protections, but its backend port does not, leaving it fully exposed to unauthenticated requests.

There are currently 24 publicly available Archon services that are unauthenticated and vulnerable to API key and data leakage.

How the Attack Works

Archon exposes two ports locally:

• Port 3737 — the UI layer, protected by CORS configuration
• Port 8181 — the backend layer, with no CORS protection and no authentication

When we tested a request from an external website to port 3737, it was correctly blocked by CORS.

The same request directed to port 8181 succeeded. The backend returned the user’s configured API keys without any authentication challenge.

Beyond key extraction, the unprotected backend allowed us to fully control the Agent feature — enabling and disabling UI elements, calling agents on behalf of the user, and reading private data.

Video POC

Impact

• Information exposure: API keys for OpenAI, Grok, Google, and other configured LLM providers are retrievable without authentication.
• Unauthorized control: An attacker can invoke any unprotected API call — controlling agents, toggling UI features, and reading user data.
• Financial risk: Compromised LLM API keys enable unauthorized model consumption and potential billing exposure.

Responsible Disclosure 

• Nov 24, 2025: OX reached out to the Archon team via GitHub. No official response.
• Dec 22, 2025: OX followed up. The maintainer closed the issue with the following response: “This is meant to just be a local app right now, I am aware of these things once we support deployments!”

Recommendations

For Archon users:

• Do not expose port 8181 externally. Bind it explicitly to 127.0.0.1 and restrict access via firewall rules.
• Do not store sensitive API keys in Archon until authentication is implemented on the backend.
• Avoid running unauthenticated local services when those services handle credentials or can act on your behalf.

For the Archon maintainers:

• Implement authentication on the backend port (8181), not just the UI layer.
• Apply CORS restrictions consistently across all exposed ports.
• Add port-level access controls as a baseline before any deployment support is introduced.

The Broader Context: Why MCP Security Matters

This finding is part of OX Security’s ongoing MCP research initiative. Last month, OX disclosed a systemic, design-level vulnerability in Anthropic’s MCP STDIO implementation — a flaw that propagated through downstream AI agent frameworks, developer IDEs, and MCP marketplaces, exposing an estimated 150 million downloads to risk.

Archon is a downstream MCP hub. The same pattern holds: as AI agents become more deeply embedded in developer workflows, the trust boundaries between web, local services, and agent infrastructure become the attack surface. This CVE is a concrete example of what happens when those boundaries are not enforced.