Red Specter CRUCIBLE

AI Agent Framework Exploitation Engine — 7 subsystems. 6 CVE modules. CVSS 9.9 max. Every vulnerable AI agent framework on one CLI.

v1.0.0 — Tool 48 of 48 — NIGHTFALL Offensive Framework

Contents

Overview The 7 Subsystems SIGNAL — Framework Fingerprinting BREACH — Authentication Bypass CRACK — CVE Exploit Modules CAPTURE — SSE Stream Interception MARIONETTE — Agent Takeover PIVOT — WARLORD Handoff REPORT — Evidence Chain CLI Reference UNLEASHED Gate WARLORD Integration Supported Frameworks Requirements Packaging Disclaimer

Overview

Red Specter CRUCIBLE is an AI agent framework exploitation engine. Where FORGE tests the model and ARSENAL tests the agent, CRUCIBLE targets the framework the agent runs on — LangFlow, PraisonAI, AnythingLLM, LangChain, n8n, and the expanding ecosystem of AI orchestration platforms that ship with pre-auth RCE, unauthenticated SSE streams, YAML deserialisation, and sandbox escapes baked in.

These are not theoretical vulnerabilities. CVE-2026-33017 (LangFlow exec() injection, CVSS 9.3) is on the CISA KEV list with a public PoC. CVE-2026-39888 (PraisonAI sandbox escape via exception frame chain, CVSS 9.9) requires zero authentication. CVE-2026-39890 (PraisonAI YAML deserialisation, CVSS 9.8) turns a config endpoint into unauthenticated shell access. Every module in CRUCIBLE is a real working exploit — no simulations, no stubs.

CRUCIBLE operates across three UNLEASHED clearance levels. At PASSIVE, it fingerprints frameworks and harvests unauthenticated SSE streams silently. At OVERRIDE, it tests authentication bypass and fires exploit modules. At DESTROY, it injects adversarial system prompts to hijack agent behaviour and packages the compromised agents as signed WARLORD assets for downstream campaign use.

CRUCIBLE is Tool 48 in the NIGHTFALL offensive framework — 372 tests, all passing. Findings feed into AI Shield M106 (Zero-Day Agent Exploit Detection) as runtime blocking rules. Hijacked agents are handed off to WARLORD for autonomous campaign integration.

The 7 Subsystems

Subsystem	Command	What It Does	Gate
SIGNAL	crucible signal	Framework fingerprinting — identifies platform, version, vulnerability status across 6 frameworks	PASSIVE
BREACH	crucible scan	Authentication bypass — tests default credentials, enumerates unauthenticated endpoints, captures session tokens	OVERRIDE
CRACK	crucible scan	CVE exploit modules — fires real working exploits against fingerprinted frameworks in CVSS order	OVERRIDE
CAPTURE	crucible capture	SSE stream interception — subscribes to unauthenticated agent event streams, extracts API keys and secrets	PASSIVE
MARIONETTE	crucible scan	Agent takeover — injects adversarial system prompts to hijack agent objectives, tools, and output	DESTROY
PIVOT	crucible scan	WARLORD handoff — packages hijacked agents as signed WARLORD assets with phase recommendations	DESTROY
REPORT	crucible scan	Evidence chain — JSON + Markdown reports with Ed25519 signatures, SHA-256 hashes, risk grading	PASSIVE

SIGNAL — Framework Fingerprinting

SIGNAL PASSIVE — No UNLEASHED required

SIGNAL probes a target URL against a registry of framework-specific HTTP endpoints, response patterns, and version indicators. It returns a confidence-weighted fingerprint: framework identity, exact version where available, and whether that version is in the vulnerable range for any known CVE.

Multi-probe fingerprinting — each framework has 2–5 probe paths, all tested concurrently
Confidence scoring — probes are weighted 0.0–1.0; the highest confidence match wins
Version extraction — JSON field parsing + regex extraction across HTML, headers, and API responses
Vuln mapping — detected version compared against per-CVE max_vulnerable_version registry
Unauthenticated path enumeration — records endpoints accessible without credentials for BREACH and CAPTURE

Supported frameworks: LangFlow, PraisonAI, AnythingLLM, LangChain, n8n, CrewAI, AutoGen. Unknown frameworks return confidence 0.0.

$ crucible signal --target http://ai-agent.internal:7860

# Output includes:
#   Framework: LANGFLOW  (confidence: 0.95)
#   Version:   1.8.0
#   Vulnerable: YES
#   CVEs:  CVE-2026-33017 (CVSS 9.3)  CVE-2026-33309 (CVSS 9.9)
#   Unauthenticated paths: /api/v1/version  /api/v1/flows/basic_examples

BREACH — Authentication Bypass

BREACH OVERRIDE — UNLEASHED --override required

BREACH tests authentication mechanisms before CRACK fires exploit modules. It tries framework-specific default credential sets against auth endpoints and enumerates paths accessible without any credentials. A session token captured here is passed to auth-requiring CRACK modules (e.g. CRACK-LF-002).

Default credential testing — per-framework credential lists (admin/admin, admin/password, superuser/superuser, etc.)
Auth endpoint enumeration — tests /api/v1/login, /api/v1/token, /login, /auth, /signin
Unauthenticated path probing — checks known no-auth endpoints for data exposure
Session token capture — extracts Bearer tokens from successful auth responses
BreachResult — has_access property, credential hit list, accessible paths, captured token

CRACK — CVE Exploit Modules

CRACK OVERRIDE — UNLEASHED --override required

CRACK fires real working exploit modules against fingerprinted frameworks. Modules run in CVSS order; CRACK stops at the first successful RCE unless --run-all is passed. Auth-requiring modules are skipped unless BREACH captured a session token. Every outcome is an ExploitOutcome with raw request/response, command output, CVE, CVSS, and severity.

Exploit Module Registry

Module ID	CVE / Advisory	Framework	Vuln Class	CVSS	Auth	Max Vuln Version
CRACK-LF-001	CVE-2026-33017	LangFlow	RCE via exec()	9.3	No	≤ 1.8.2
CRACK-LF-002	CVE-2026-33309	LangFlow	Arbitrary file write (path traversal)	9.9	Yes	≤ 1.8.2
CRACK-PA-001	GHSA-2763-cj5r-c79m	PraisonAI	OS command injection (shell=True)	9.1	No	≤ 4.5.114
CRACK-PA-002	CVE-2026-39888	PraisonAI	Sandbox escape (exception frame chain)	9.9	No	≤ 4.5.114
CRACK-PA-003	CVE-2026-39890	PraisonAI	YAML deserialisation RCE	9.8	No	≤ 4.5.114
CRACK-AL-001	CVE-2026-32626	AnythingLLM	XSS → RCE (Electron dangerouslySetInnerHTML)	9.6	No	≤ 1.11.1

CRACK-LF-001 — LangFlow Unauthenticated RCE (CVE-2026-33017)

LangFlow's public-facing flow execution endpoint passes Python code directly to exec() with no sanitisation. CRACK-LF-001 posts a Python code node to /api/v1/build_public_tmp/{flow_id}/flow containing a subprocess.run(command, shell=True) payload. The flow executes server-side with process owner privileges. No authentication required. CISA KEV listed. Public PoC exists.

CRACK-LF-002 — LangFlow Arbitrary File Write (CVE-2026-33309)

LangFlow's file upload API does not validate filenames before writing to disk. CRACK-LF-002 posts a multipart upload to /api/v2/files/ with a traversal filename (../../../../tmp/pwned), writing attacker-controlled content to arbitrary filesystem locations. Requires a valid session token — BREACH captures this from default credentials. CVSS 9.9.

CRACK-PA-002 — PraisonAI Sandbox Escape (CVE-2026-39888)

PraisonAI's code execution sandbox can be escaped via the Python exception frame chain. CRACK-PA-002 sends code that raises a controlled exception, then walks the traceback frames to reach sys.exc_info()[2].tb_frame.f_back.f_builtins, extracting the real exec builtin from outside the sandbox. No authentication required. CVSS 9.9.

CRACK-PA-003 — PraisonAI YAML Deserialisation (CVE-2026-39890)

PraisonAI's agent configuration API passes YAML to PyYAML's unsafe yaml.load(). CRACK-PA-003 posts a !!python/object/apply:subprocess.check_output payload to /api/v1/agents, achieving unauthenticated RCE via deserialisation. CVSS 9.8.

CRACK-AL-001 — AnythingLLM XSS → RCE (CVE-2026-32626)

AnythingLLM's Electron desktop app renders agent-generated markdown through dangerouslySetInnerHTML without sanitisation. CRACK-AL-001 injects an image tag with an onerror handler that calls Node.js require('child_process').execSync(). When a user views the poisoned response, the payload executes with Electron's Node.js integration at desktop privileges. CVSS 9.6.

CAPTURE — SSE Stream Interception

CAPTURE PASSIVE — No UNLEASHED required

CAPTURE exploits unauthenticated Server-Sent Events endpoints that AI agent frameworks expose for real-time streaming. It subscribes to the event stream, consumes all events for a configurable duration, scans every event for sensitive data, and returns a structured harvest with tool calls, agent messages, and any extracted secrets.

PraisonAI A2U stream — POST /a2u/subscribe, then GET /a2u/events/sub/{id}. Zero authentication. Exposes all agent reasoning, tool calls, and responses in real time (CVE-2026-39889)
LangFlow SSE — /api/v1/stream/{flow_id} event endpoint
Sensitive pattern scanning — OpenAI keys (sk-), Anthropic keys (sk-ant-api03-), passwords, Bearer tokens, API key fields, client secrets
SSEEvent — auto-parses JSON data, auto-scans for sensitive patterns on receipt
CaptureResult — total events, tool calls, agent messages, sensitive hits per pattern type

$ crucible capture --target http://praisonai.internal:8000 --framework praisonai --duration 30

# Subscribes to /a2u/subscribe, streams /a2u/events/sub/{id} for 30 seconds
# Output:
#   Events captured:  47
#   Tool calls:       12
#   Agent messages:   18
#   Sensitive hits:   openai_key (1)  password (2)

MARIONETTE — Agent Takeover

MARIONETTE DESTROY — UNLEASHED --override --confirm-destroy required

MARIONETTE injects adversarial system prompts into running agents via framework-native APIs. It does not need to compromise the model — it overrides agent objectives, tool permissions, and output targets at the orchestration layer. A successfully hijacked agent is a signed WARLORD asset ready for campaign integration.

Injection types: reconnaissance (extract internal data), exfiltration (route outputs to attacker), redirect (substitute target system), persistence (plant dormant trigger)
LangFlow — PATCH /api/v1/flows/{flow_id} to overwrite the system prompt node in the flow graph
PraisonAI — PATCH /api/v1/agents/{agent_id} to replace the system_prompt field
AgentSession — records agent ID, injection type, injected prompt, capabilities inferred, framework, and takeover timestamp
to_warlord_asset() — converts session to WARLORD-compatible asset dict with asset_type: "hijacked_agent"

PIVOT — WARLORD Handoff

PIVOT DESTROY — UNLEASHED --override --confirm-destroy required

PIVOT packages MARIONETTE's hijacked agents and CRACK's critical findings into a signed WARLORD handoff payload. Every handoff is Ed25519 signed, SHA-256 hashed, and written to disk if an output directory is specified. WARLORD ingests this directly for autonomous campaign continuation.

Asset packaging — hijacked agents + critical findings under a single signed payload
Phase recommendations — PIVOT analyses asset types and recommends FIREBALL (if hijacked agents), RAGNAROK (if agent fleet), GHOUL (if credential hits), LAZARUS (if persistence injection), WARLORD (always)
WARLORD schema — source_tool: "CRUCIBLE", nightfall_framework: true, asset list, recommendations
Ed25519 signature — payload signed with the UNLEASHED operator key; WARLORD verifies before import

REPORT — Evidence Chain

REPORT PASSIVE — No UNLEASHED required

REPORT produces a JSON engagement report (WARLORD-compatible schema) and a human-readable Markdown report. Every report is SHA-256 hashed and Ed25519 signed. Reports can be independently verified with crucible report verify.

Risk scoring — weighted formula: (max_cvss × 0.7) + (mean_cvss × 0.3), capped at 10.0
Risk grades — CRITICAL (≥9.0) / HIGH (≥7.0) / MEDIUM (≥4.0) / LOW (≥1.0) / INFO
Executive summary — finding counts by severity, RCE status, framework, best module
Full finding detail — CVE, CVSS, vuln class, payload sent, raw request/response, command output (truncated at 500 chars)
verify_report() — checks SHA-256 hash matches body, verifies Ed25519 signature against stored public key

CLI Reference

crucible scan — Full Engagement

$ crucible scan --target http://target:7860 [OPTIONS]

--target           Target URL (required)
--framework        Force framework (auto-detected if omitted)
--output-dir       Directory for reports and WARLORD handoff file
--timeout          HTTP timeout in seconds (default: 15)
--capture-duration SSE harvest duration in seconds (default: 30)
--run-all          Run all CRACK modules (default: stop at first RCE)
--override         UNLEASHED OVERRIDE mode — enables BREACH + CRACK
--confirm-destroy  UNLEASHED DESTROY mode — enables MARIONETTE + PIVOT (requires --override)

crucible signal — Fingerprint Only

$ crucible signal --target http://target:7860 [--timeout 15]

# Runs SIGNAL only. No UNLEASHED required.
# Returns: framework, version, confidence, CVE list, unauthenticated paths

crucible capture — SSE Harvest Only

$ crucible capture --target http://target:8000 --framework praisonai [--duration 30]

# Runs CAPTURE only. No UNLEASHED required.
# Framework required for capture (praisonai or langflow)

crucible modules — List Exploit Modules

$ crucible modules [--framework langflow]

# Lists all CRACK modules, or modules for a specific framework
# Output: module ID, CVE, framework, CVSS, vuln class, requires_auth, max_vuln_version

crucible auth — UNLEASHED Gate

$ crucible auth init
# Generates UNLEASHED key pair + operator key pair in ~/.red-specter/crucible/
# Sets file permissions to 600

$ crucible auth create-scope --targets http://target1.com http://target2.com [--expires-days 30]
# Creates a signed scope file authorising DESTROY-level operations against specified targets
# Signed by both UNLEASHED key and operator key

$ crucible auth status
# Prints key fingerprints, scope file status, and authorised targets

$ crucible auth revoke
# Removes the scope file. Disables DESTROY-level operations immediately.

UNLEASHED Gate

CRUCIBLE uses the NIGHTFALL Ed25519 dual-gate authentication system. Two key pairs govern three operational modes. DESTROY mode requires a signed scope file specifying authorised targets — operations against any target not in the scope file are blocked regardless of flags passed.

PASSIVE

No gate. No keys required.

SIGNAL (fingerprinting)
CAPTURE (SSE harvest)
REPORT (evidence chain)

OVERRIDE

--override flag. Ed25519 UNLEASHED key required.

BREACH (auth bypass)
CRACK (exploit modules)

DESTROY

--override --confirm-destroy. Both keys + signed scope file required. Target must be in scope.

MARIONETTE (agent takeover)
PIVOT (WARLORD handoff)

Key Files

~/.red-specter/crucible/
  unleashed.key     # Ed25519 private key (permissions: 600)
  operator.key      # Operator Ed25519 private key (permissions: 600)
  scope.json        # Signed scope file — required for DESTROY mode

Scope File

The scope file is a JSON document signed by both the UNLEASHED key and the operator key. It specifies authorised targets (with wildcard support), an expiry timestamp, the tool name, framework name, and permitted operations. DESTROY-mode operations verify the target matches an entry in the scope file before executing.

{
  "tool": "CRUCIBLE",
  "framework": "NIGHTFALL",
  "authorized_targets": ["http://target.com", "*.internal.corp"],
  "expires": "2026-05-10T00:00:00",
  "permitted_frameworks": ["langflow", "praisonai"],
  "unleashed_signature": "...",
  "operator_signature": "..."
}

WARLORD Integration

CRUCIBLE is a first-class WARLORD asset source. PIVOT produces a signed handoff file that WARLORD ingests directly. Hijacked agents from MARIONETTE become WARLORD assets with asset_type: "hijacked_agent". WARLORD can then deploy these agents as nodes in autonomous campaign phases.

# WARLORD handoff schema (written by PIVOT)
{
  "source_tool": "CRUCIBLE",
  "nightfall_framework": true,
  "target": "http://target:7860",
  "framework": "langflow",
  "assets": [
    {
      "asset_type": "hijacked_agent",
      "agent_id": "flow-abc123",
      "framework": "langflow",
      "injection_type": "exfiltration",
      "capabilities": ["web_search", "code_execution", "data_exfiltration"]
    }
  ],
  "critical_findings": [...],
  "recommended_next_phases": ["FIREBALL", "LAZARUS", "WARLORD"],
  "signature": "..."
}

Phase Recommendations

PIVOT analyses captured assets and recommends WARLORD campaign phases automatically:

FIREBALL — recommended when hijacked agents are available (agent infiltration)
RAGNAROK — recommended when multiple hijacked agents are present (fleet-wide collapse)
GHOUL — recommended when credential hits were recorded
LAZARUS — recommended when persistence injection was performed
WARLORD — always recommended (autonomous campaign orchestration)

Supported Frameworks

Framework	Fingerprinting	Exploit Modules	SSE Capture	Agent Takeover
LangFlow	✓ (SIGNAL)	CRACK-LF-001, CRACK-LF-002	✓	✓ (flow patch)
PraisonAI	✓ (SIGNAL)	CRACK-PA-001, CRACK-PA-002, CRACK-PA-003	✓ (A2U stream)	✓ (agent patch)
AnythingLLM	✓ (SIGNAL)	CRACK-AL-001	—	—
LangChain	✓ (SIGNAL)	CVE-2026-34070 (path traversal)	—	—
n8n	✓ (SIGNAL)	— (v1)	—	—
CrewAI / AutoGen	✓ (SIGNAL)	— (v1)	—	—

Requirements

Python — 3.11 or higher
aiohttp — async HTTP for fingerprinting, exploitation, and SSE streaming
typer — CLI framework
rich — terminal output formatting
pydantic — data validation for engagement models
cryptography / PyNaCl — Ed25519 key generation, signing, and verification
pyyaml — YAML payload construction for CRACK-PA-003
sseclient-py — Server-Sent Events stream parsing for CAPTURE

# Install
$ pip install red-specter-crucible # or:
$ red-specter tools  # install via NIGHTFALL framework CLI

# Verify
$ crucible --version
crucible 1.0.0

# Initialise UNLEASHED gate
$ crucible auth init

Packaging

CRUCIBLE is available in three package formats for security-focused Linux distributions:

Debian / Kali / Parrot / REMnux / Tsurugi — .deb package
BlackArch — PKGBUILD
Install — red-specter tools

For access, contact richard@red-specter.co.uk

CRUCIBLE UNLEASHED

Cryptographic override. Private key controlled. One operator. Founder's machine only.

Disclaimer

Red Specter CRUCIBLE is designed for authorised security testing, research, and educational purposes only. You must have explicit written permission from the system owner before running any CRUCIBLE operation against a target. The exploit modules in CRUCIBLE reference real CVEs with working proof-of-concept code — use against systems you do not own or have written authorisation to test is illegal. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse.