OpenLumara Agent Security Challenge Reveals Multiple Sandbox Bypass Vulnerabilities
English summary
The developer of OpenLumara, an AI agent, set up a public Discord bot challenge to test its sandbox security against real hackers. Despite initial claims of robust protection, three distinct vulnerabilities were quickly found. A path traversal flaw in the coder module allowed unintended file access, an authorization bypass occurred by appending a public command to restricted ones, and a third undisclosed exploit was reported. The developer acknowledged all issues and published corresponding fixes via GitHub commits.
Chinese summary
OpenLumara智能体的开发者搭建了一个公共Discord机器人挑战,以测试其沙盒安全性。尽管最初宣称保护严密,但很快发现了三个不同的漏洞:编程模块存在路径穿越缺陷可导致非授权文件访问;在受限命令后附加一个公开命令即可绕过授权检查;另有一个未公开的利用方式被报告。开发者承认了所有问题,并通过GitHub提交发布了相应修复。
Key points
A public security challenge was launched for the OpenLumara AI agent on Discord, inviting hackers to break its sandboxes.
为OpenLumara AI智能体发起了一场公开安全挑战,通过Discord邀请黑客尝试突破其沙盒。
Three vulnerabilities were discovered: a path traversal bug in the coder module, a command authorization bypass via public command appending, and an undisclosed exploit.
发现了三个漏洞:编程模块中的路径穿越缺陷、通过附加公开命令绕过授权检查的漏洞,以及一个未公开的利用方式。
The developer promptly fixed the found vulnerabilities and published the patches on GitHub.
开发者立即修复了发现的漏洞,并在GitHub上发布了补丁。