Potential payment gate bypass: any Authorization header unlocks tool execution
Hi, I noticed a possible payment-flow issue in the current repository state. This is a conservative report based on the current code path, and I may be missing deployment-specific guards outside this repository.
Repository: https://github.com/achilliesbot/secure-exec
Reviewed HEAD: d6f6229
What I observed
The /exec/tool endpoint uses a payment gate that returns a 402 challenge only when Authorization is missing. Any present Authorization value is accepted as either MPP or x402 and the endpoint executes the requested tool path.
Relevant code excerpts:
secureexec_server.py:20-52
20 def check_payment(req):
...
33 auth = req.headers.get('Authorization', '')
34
35 if not auth:
36 return False, None, {
...
51 protocol = 'mpp' if auth.startswith('MPP') else 'x402'
52 return True, protocol, None
secureexec_server.py:73-85
73 # Payment gate
74 authorized, payment_protocol, payment_error = check_payment(request)
75 if not authorized:
76 return jsonify(payment_error), 402
77
78 result = exec_tool(
79 agent_id=agent_id,
80 tool=tool,
81 dry_run=body.get('dryRun', True),
82 context=body.get('context', {}),
83 payment_protocol=payment_protocol
84 )
85 return jsonify(result), 200
secureexec_engine.py:119-155
119 def exec_tool(agent_id, tool, dry_run=True, context=None, payment_protocol=None):
...
129 dry_run = True # Force in v1
...
132 iam_approved, ep_proof = validate_with_ep(agent_id, tool_name, dry_run)
133 result = simulate_tool(tool_name, args)
...
143 response = {
144 'jobId': job_id,
145 'tool': tool_name,
146 'dryRun': dry_run,
147 'status': status,
148 'result': result,
149 'iamApproved': iam_approved,
150 'proofHash': proof_hash,
151 'paymentProtocol': payment_protocol,
152 'latencyMs': latency_ms,
153 'timestamp': datetime.now(timezone.utc).isoformat(),
154 'schemaVersion': 'v1'
155 }
Why this may matter
The endpoint returns a tool result/proof payload after only an Authorization-header presence check. I did not see any verification that the header contains a valid payment credential, nor any amount/recipient/resource/expiry binding.
Suggested check
Consider verifying the Authorization credential against the x402/MPP payment requirements before calling exec_tool, and reject headers that do not carry a valid payment proof. If dry-run mode is meant to be free, the endpoint should distinguish free and paid modes explicitly rather than advertising a payment gate.
Conservative caveat
The engine currently forces dryRun = True, which reduces side-effect risk. The issue is still relevant to paid access semantics because /exec/tool returns the protected tool response after a shallow gate.
Potential payment gate bypass: any Authorization header unlocks tool execution
Hi, I noticed a possible payment-flow issue in the current repository state. This is a conservative report based on the current code path, and I may be missing deployment-specific guards outside this repository.
Repository:
https://github.com/achilliesbot/secure-execReviewed HEAD:
d6f6229What I observed
The
/exec/toolendpoint uses a payment gate that returns a 402 challenge only whenAuthorizationis missing. Any presentAuthorizationvalue is accepted as either MPP or x402 and the endpoint executes the requested tool path.Relevant code excerpts:
secureexec_server.py:20-52secureexec_server.py:73-85secureexec_engine.py:119-155Why this may matter
The endpoint returns a tool result/proof payload after only an Authorization-header presence check. I did not see any verification that the header contains a valid payment credential, nor any amount/recipient/resource/expiry binding.
Suggested check
Consider verifying the Authorization credential against the x402/MPP payment requirements before calling
exec_tool, and reject headers that do not carry a valid payment proof. If dry-run mode is meant to be free, the endpoint should distinguish free and paid modes explicitly rather than advertising a payment gate.Conservative caveat
The engine currently forces
dryRun = True, which reduces side-effect risk. The issue is still relevant to paid access semantics because/exec/toolreturns the protected tool response after a shallow gate.