Summary
A widely deployed open-source multi-agent framework enforced tool-access policy at the point where a user-facing agent received a request, but did not re-check that policy when an agent delegated a sub-task to another agent in the chain. A delegated sub-agent inherited the framework's full tool registry rather than the restricted set assigned to its parent, so a request that an entry agent was forbidden from servicing directly could be satisfied by routing it one hop downstream.
The result is a confused-deputy: an attacker who can influence the entry agent's task — through ordinary user input or indirect prompt injection in retrieved content — can cause a privileged tool to execute despite the entry agent lacking that privilege. The defect is architectural, present in default configurations of affected versions.
Technical Details
The framework attached an allow-list of tool names to each agent and validated calls against that list in the request handler. Delegation, however, was implemented by constructing a fresh execution context for the sub-agent seeded from the global tool registry, not from the parent's allow-list. The parent's restrictions were never propagated across the delegation boundary, and no policy check ran when the sub-agent resolved a tool. Because planning and delegation are model-driven, an injected instruction that named a downstream agent and a privileged tool was sufficient to trigger the escalation; the chain depth and exact agent naming required to reach a sensitive tool account for the higher attack complexity.
In keeping with LogicLeak's disclosure policy, weaponizable proof-of-concept code is withheld until sufficient remediation has deployed across downstream consumers. The class description and mitigation below are sufficient for maintainers and operators to verify exposure.
Impact
An agent restricted to read-only or low-sensitivity tools could reach state-modifying or external-communication tools — file writes, outbound requests, or privileged API calls — by delegating to a sub-agent. The blast radius equals the most privileged tool registered anywhere in the framework instance, not the privilege of the agent the attacker can directly reach. Integrity of downstream actions is the primary loss; no direct confidentiality breach is required to trigger the bypass.
Disclosure Timeline
Remediation
Maintainers should propagate the originating agent's tool allow-list across every delegation boundary and intersect — never widen — privileges as a task moves downstream. Tool-access policy must be evaluated at the point a tool is resolved, in framework code, not at the request handler alone. Operators on affected versions should upgrade to the patched release; until then, constrain the global tool registry to the least-privileged set any agent legitimately needs, and isolate privileged tools into a separate framework instance that untrusted entry agents cannot delegate into.