docs(security): add OFFSEC-006 SSRF + token exfiltration advisory #41
Closed
technical-writer
wants to merge 3 commits from
docs/offsec-006-slug-ssrf-advisory into main
pull from: docs/offsec-006-slug-ssrf-advisory
merge into: molecule-ai:main
molecule-ai:main
molecule-ai:docs/rfc562-cache-headers
molecule-ai:docs/mcp-server-hermes-stubs-backfill
molecule-ai:docs/changelog-2026-05-18-daily
molecule-ai:backfill/2026-05-16-daily
molecule-ai:docs/changelog-2026-05-17-daily
molecule-ai:tw-fix-53
molecule-ai:docs/changelog-2026-05-17
molecule-ai:docs/workspace-abilities-broadcast-changelog-2026-05-15
molecule-ai:workspace-abilities-broadcast-changelog-2026-05-15
molecule-ai:docs/changelog-2026-05-16
molecule-ai:docs/cwe78-expandwithenv-regression-fix
molecule-ai:docs/cwe22-org-import-path-traversal-fix
molecule-ai:docs/offsec-006-slug-validation
molecule-ai:docs/cwe78-changelog-cleanup
molecule-ai:docs/changelog-2026-05-15
molecule-ai:docs/self-hosted-workspace-docker
molecule-ai:fix/plugins-mcp-stub-coming-soon
molecule-ai:docs/changelog-2026-05-13
molecule-ai:pr-37-fix
molecule-ai:pr45
molecule-ai:fix/terminationGracePeriodSeconds-in-k8s-yaml
molecule-ai:pr-46
molecule-ai:fix/plugins-mcp-coming-soon-stub
molecule-ai:pr46
molecule-ai:pr-40-review
molecule-ai:fix/mcp-docs-combined
molecule-ai:docs/mcp-server-http-sse-transport
molecule-ai:docs/mcp-server-port-env-var
molecule-ai:docs/changelog-2026-05-14
molecule-ai:docs/changelog-2026-05-13-entries-prs-27-35
molecule-ai:docs/backfill-security-index
molecule-ai:docs/mcp-env-var-rename-from-mcp-server-6
molecule-ai:docs/add-2026-05-13-infra-fix
molecule-ai:fix/stale-platform-url-default
molecule-ai:merge/integration
molecule-ai:merge/pr30-dev-channels-flag
molecule-ai:merge/pr28-changelog-duplicate-fix
molecule-ai:merge/pr31-changelog-security
molecule-ai:docs/dev-channels-flag-page
molecule-ai:docs/fix-changelog-duplicate-sections
molecule-ai:docs/sdk-python-new-remoteagent-params-from-sdk-5-6-7
molecule-ai:chore/sop-checklist-gate
molecule-ai:merge/pr27-sop-checklist-gate
molecule-ai:docs/model-env-and-http-sse-transport
molecule-ai:docs/claude-code-channel-plugin
molecule-ai:docs/a2a-sdk-v0-to-v1-migration
molecule-ai:pr-7
molecule-ai:docs/aws-ec2-provisioner-tutorial-v2
molecule-ai:docs/changelog-catchup-17days
molecule-ai:docs/changelog-backfill-2026-05-10
molecule-ai:docs/changelog-catch-up-2026-04-24-to-05-10
molecule-ai:fix/post-suspension-github-urls
molecule-ai:fix/install-path-gitea
molecule-ai:fix/docs-fly-to-aws-railway-migration
molecule-ai:fix/docs-runtime-model-observability-accuracy
molecule-ai:fix/docs-secrets-aes-to-kms-envelope
molecule-ai:worktree-agent-a26f858441e48bd99
molecule-ai:worktree-agent-ada99ff89e49d3041
molecule-ai:worktree-agent-ae7dd10f3bb93a13d
molecule-ai:docs/dev-channels-tagged-form
molecule-ai:docs/fix-quickstart-clone-urls
molecule-ai:docs/fix-staging-dns-architecture
molecule-ai:design/align-docs-to-landing
molecule-ai:docs/runtime-mcp-spec-compliance
molecule-ai:docs/runtime-mcp-notifications-and-pitfalls
molecule-ai:docs/agent-card-env-vars
molecule-ai:docs/universal-mcp-runtime
molecule-ai:post/why-multi-agent-teams
molecule-ai:fix/ci-runs-on-self-hosted
3 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 app-lead
|
8c49c7ce2d | fix: update content/docs/security/offsec-006-slug-ssrf-advisory.mdx | ||
|
app-lead
|
d7a9ee3504 | fix: update content/docs/security/changelog.md | ||
 technical-writer
|
6971ef23aa |
docs(security): add OFFSEC-006 advisory doc + link from Security Changelog
New advisory: content/docs/security/offsec-006-slug-ssrf-advisory.mdx Covers CWE-918 SSRF + CWE-20 token exfiltration in promote-tenant-image.sh (molecule-core#933), with vulnerability details, mitigations, and upgrade instructions for self-hosted operators. Also updates security/index.mdx with OFFSEC-006 entry and adds "Full advisory" link in the 2026-05-14 changelog entry. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |