Banked from the DB-GPT v0.8.1 unauth RCE finding (the session's first submittable cash candidate after 3 disciplined WALKs).
LLM "agent" frameworks expose TOOLS the agent can call. A code_interpreter/python/shell/exec tool that runs attacker-influenced code is RCE IF: (a) the tool runs code UNSANDBOXED (raw subprocess/exec/eval/create_subprocess_exec(sys.executable,...) with only a syntax-check or timeout), AND (b) the agent endpoint is reachable at low/no privilege. The HIGH-SIGNAL TELL = a SANDBOX ASYMMETRY: the project sandboxes ONE tool (e.g. shell via a LocalRuntime with mem/time limits + an eval/exec blocklist) but NOT a sibling (e.g. the python tool runs raw) -> the unsandboxed one is an oversight, not by-design. Grep any agent framework for: the tool registry/ToolPack, create_subprocess_exec/subprocess/exec(/eval( in tool functions, and compare guard treatment across sibling tools.
- Reachability via the LLM is NOT a barrier: the tool is advertised to the agent ("Execute arbitrary Python code"); a user message asking to run code triggers it - that is the agent's designed behavior. Drive the live PoC with a deterministic FAKE OpenAI-compatible endpoint that returns the Action: <tool> {code} step (no real LLM key needed).
Many OSS AI apps ship a DEFAULT auth dependency that is a stub returning a hardcoded admin (DB-GPT get_user_from_headers returns role=admin for any/no header). VERIFY the severity-driving unauth claim by: (a) reading the auth dependency function (often 10-20 lines, dispositive from source); (b) confirming NO global middleware (grep dbgpt_server/app for add_middleware/@app.middleware); (c) confirming NO router-level dependencies=; (d) checking whether any real-auth (api_keys/Bearer) gates THIS route or only a different prefix (DB-GPT's api_keys gate ONLY /api/v2, not /v1). If the only auth is the mock and nothing overrides it -> unauth is the shipped default (don't accept "prod adds auth" if there is no auth path in the code).
After 2 WALKs on mature audited protocols (GitLab CE, SSV v2.0) + 3 saturated model-file sub-lanes (ONNX/Keras/GGUF), the highest EV-per-hour for THIS box = the huntr OSV (Open Source Vulnerabilities) lane: freshest/least-picked AI APPS (path-traversal/SSRF/file-write/deser/agent-tool->RCE), my demonstrated strength (Bisheng/lollms/DB-GPT), fast web-app PoC, cash-by-severity, clean filing. CALIBRATION CAVEAT: OSV pays by CVSS (~$600 Critical + $150 fix), NOT the $4000 MFV model-file tier - higher find-PROBABILITY, lower per-find $. Tell the operator the $ tier up front for expectation-setting. The freshest-launched repo (a feature NEW in the latest release, like DB-GPT agentic_data_api.py in v0.8.1) is the disclosure-cleanest (no prior reports) = highest EV.
Related: [[feedback_standing_doctrine_2026_06_09]], [[2026-06-21-cycle271-gguf-chattemplate-ssti-saturated]].