lhumina_code/hero_aibroker
4
0
Fork 0
Code Issues 65 Pull requests 2 Projects Releases 3 Packages Wiki Activity Actions

Security: Cascade mother broker has no authentication between brokers #115

New issue
Open
opened 2026-05-11 23:08:58 +00:00 by thabeta · 0 comments
thabeta commented 2026-05-11 23:08:58 +00:00
Owner
Copy link

Severity: Critical

Location

crates/hero_aibroker_lib/src/providers/ai_broker_mother.rsbuild_mother_provider()

Finding

The cascade mother broker uses a hardcoded placeholder key with no actual authentication:

pub fn build_mother_provider(...) -> (Arc<OpenAIProvider>, Arc<KeyPool>) {
    let placeholder = ApiKey {
        key: "ai-broker-mother-cascade".to_string(),  // NO AUTH
        priority: 0,
        weight: 1,
        rpm: None,
    };
    // ...
}

Impact

  • Any host that can reach the mother broker's TCP port can use it as a proxy
  • No authentication between cascade brokers
  • Provider API keys, request content, and billing data flow without auth
  • An attacker who discovers a mother broker on the network can drain API key quotas

Recommendation

  • Add shared secret authentication between cascade brokers
  • Support mutual TLS for broker-to-broker communication
  • Validate incoming requests against a configured allowlist of child broker IPs
  • Document that cascade TCP requires network-level security (VPN/WireGuard)
## Severity: Critical ## Location `crates/hero_aibroker_lib/src/providers/ai_broker_mother.rs` — `build_mother_provider()` ## Finding The cascade mother broker uses a hardcoded placeholder key with no actual authentication: ```rust pub fn build_mother_provider(...) -> (Arc<OpenAIProvider>, Arc<KeyPool>) { let placeholder = ApiKey { key: "ai-broker-mother-cascade".to_string(), // NO AUTH priority: 0, weight: 1, rpm: None, }; // ... } ``` ## Impact - Any host that can reach the mother broker's TCP port can use it as a proxy - No authentication between cascade brokers - Provider API keys, request content, and billing data flow without auth - An attacker who discovers a mother broker on the network can drain API key quotas ## Recommendation - Add shared secret authentication between cascade brokers - Support mutual TLS for broker-to-broker communication - Validate incoming requests against a configured allowlist of child broker IPs - Document that cascade TCP requires network-level security (VPN/WireGuard)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
development_align_chat_drop_sdk_specs
development_drop_stale_openrpc_artifacts
main
lab-latest
v0.1.1
v0.1.0
Labels
Clear labels   
prio_critical

   
prio_low

   
type_bug

   
type_contact

   
type_issue

   
type_lead

   
type_question

   
type_story

   
type_task
No labels
prio_critical
prio_low
type_bug
type_contact
type_issue
type_lead
type_question
type_story
type_task
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_aibroker#115
No description provided.