Report security vulnerabilities using GitHub's private vulnerability reporting:
Do not open a public issue. We will acknowledge your report within 3 business days and work with you to assess and address the issue before any public disclosure.
The following are in scope for security reports:
- The
clagentic-routerdaemon process and its HTTP API - Bearer token authentication and authorization enforcement
- Webhook HMAC signing and delivery
- Configuration parsing — specifically any path where malformed config could allow privilege escalation, credential leakage, or denial of service
- SQLite state store — any path where stored data could be manipulated to affect routing or auth decisions
The following are out of scope:
- Vulnerabilities in the upstream LLM providers (Anthropic, OpenAI, etc.)
- The
claude,codex, orgeminiCLI binaries and their OAuth sessions - Issues requiring physical access to the host
Please provide:
- Version — output of
clagentic-router version - Reproduction steps — minimal config and request sequence that triggers the issue
- Impact — what an attacker can achieve (e.g., unauthenticated access, token exfiltration, SSRF, DoS)
- Suggested fix (optional but appreciated)
| Stage | Target |
|---|---|
| Acknowledgement | 3 business days |
| Initial assessment | 7 business days |
| Fix or workaround | Dependent on severity; critical issues prioritised |
| Public disclosure | Coordinated with reporter after fix is available |