crucible scan http://target:7860 --override
LangFlow, PraisonAI, AnythingLLM, LangChain, n8n — built by different teams, funded by different investors, deployed in different environments. Yet every new framework independently ships YAML deserialization RCE, unauthenticated event streams, sandbox escapes, and command injection. CRUCIBLE is the systematic weaponisation of this pattern.
Agent configuration files parsed with unsafe loaders. !!python/object/apply and !!js/function tags trigger arbitrary code execution during load. Affects PraisonAI, LangFlow, and every framework that accepts YAML agent definitions.
CVE-2026-39890 CVSS 9.8Agent-to-User event streams exposed without authentication. Subscribe with a POST, receive a stream of every agent message, tool call, internal reasoning step, and credential passed to any tool. No exploit required.
CVE-2026-39889 PASSIVECode execution sandboxes blocking 11 Python attributes miss a 4-step chain: __traceback__ → tb_frame → f_back → f_builtins → exec(). Complete host breakout from any PraisonAI code execution environment.
CVE-2026-39888 CVSS 9.9LangFlow's public flow build endpoint passes attacker-supplied Python code nodes directly to exec() with zero sandboxing. No authentication. No rate limiting. Exploited in the wild within 20 hours of disclosure.
CVE-2026-33017 CVSS 9.3 KEVAnythingLLM Desktop renders LLM output via dangerouslySetInnerHTML without sanitization. Electron's nodeIntegration allows the injected script to call require('child_process') — full host OS command execution from a chat message.
CVE-2026-32626 CVSS 9.6LangFlow's file upload API doesn't sanitize multipart filename parameters. Write arbitrary files to any path on the host filesystem via ../../../../ sequences. Plant backdoors, overwrite configs, escalate to full compromise.
CVE-2026-33309 CVSS 9.9CRUCIBLE is not a scanner. Every subsystem performs a specific function in the attack chain — from framework fingerprinting through to WARLORD handoff. Each subsystem is independently invocable.
Version-aware identification of LangFlow, PraisonAI, AnythingLLM, LangChain, n8n, CrewAI, AutoGen. Framework-specific endpoint probes, API response signatures, header patterns. Not port scanning.
PASSIVE — NO AUTHDefault credential testing across all framework auth endpoints. Unauthenticated path enumeration. Auth bypass detection. Returns session token — required by authenticated CRACK modules (e.g., CVE-2026-33309).
UNLEASHED --overrideReal, working exploit modules for each vulnerability class. Version-aware. Ordered by CVSS severity — highest impact first. v1 covers LangFlow, PraisonAI, AnythingLLM. v1.1 adds LangChain + n8n.
UNLEASHED --overridePassively subscribes to unauthenticated agent event streams. Collects live conversations, tool calls, internal reasoning, and credentials in transit. CVE-2026-39889. No exploitation required. CRUCIBLE's signature capability.
PASSIVE — NO AUTHInjects adversarial directives into agent configuration via the framework API. Establishes persistent backdoor agents. Redirects tool calls. Turns the hijacked agent into a WARLORD-controlled asset.
UNLEASHED --confirm-destroyPackages hijacked agents and RCE findings as signed WARLORD campaign assets. WARLORD uses the compromised agent for lateral movement, data exfiltration, and fleet-wide attack via FIREBALL + RAGNAROK.
UNLEASHED --confirm-destroyEd25519-signed, SHA-256-hashed reports. JSON (WARLORD-compatible) + Markdown. Includes captured SSE traffic, exploit payloads, agent session logs, and WARLORD handoff receipt. SIEM-ready.
ALL MODESCRUCIBLE's attack chain closes the loop: external framework vulnerability → internal agent compromise → fleet-wide WARLORD campaign asset.
Every module is working code tested against the specified vulnerable version. No stubs. No simulations. Version-aware — SIGNAL feeds the exact version into module selection.
| Module | CVE / Advisory | Framework | CVSS | Auth | Vulnerability |
|---|---|---|---|---|---|
| CRACK-LF-001 | CVE-2026-33017 | LangFlow | 9.3 | No | Unauthenticated RCE via exec() in public flow build endpoint |
| CRACK-LF-002 | CVE-2026-33309 | LangFlow | 9.9 | Yes | Arbitrary file write via path traversal in /api/v2/files/ |
| CRACK-PA-001 | GHSA-2763-cj5r-c79m | PraisonAI | 9.1 | No | OS command injection via shell=True in workflow execution |
| CRACK-PA-002 | CVE-2026-39888 | PraisonAI | 9.9 | No | Sandbox escape via exception frame traversal in execute_code |
| CRACK-PA-003 | CVE-2026-39890 | PraisonAI | 9.8 | No | RCE via unsafe YAML deserialization in agent configuration |
| CRACK-AL-001 | CVE-2026-32626 | AnythingLLM | 9.6 | No | XSS → RCE via Electron dangerouslySetInnerHTML (Desktop) |
v1.1 adds: CRACK-LC-001 (LangChain CVE-2026-34070), CRACK-N8-001 (n8n)
v2 adds: CrewAI, AutoGen modules
PraisonAI exposes an unauthenticated Agent-to-User (A2U) event stream. CAPTURE subscribes with a single POST request and receives a live feed of every agent message, tool call, internal reasoning step, and credential in flight. No exploit. No authentication. No UNLEASHED required.
Destructive operations are gated behind Ed25519 dual-key authorization and a signed scope file. Standard mode is fully passive — safe for recon. Active exploitation requires --override. Agent hijack requires --confirm-destroy plus a scope file binding the operation to specific authorized targets.
CRUCIBLE ships as part of the NIGHTFALL framework. Native packages for major Linux security distributions, macOS, and Windows. Pre-installed on Red Specter OS.
CRUCIBLE is a commercial offensive security tool. Use requires written authorisation from the system owner before any testing commences. The UNLEASHED gate is a technical control — it does not replace legal authorisation. Computer Misuse Act 1990 (UK) and equivalent legislation applies in all jurisdictions. Red Specter Security Research Ltd accepts no liability for unauthorized use.