Security: Local discovery broadcasts service info with no authentication #97

New issue

Open

opened 2026-05-11 13:49:52 +00:00 by thabeta · 0 comments

thabeta commented

2026-05-11 13:49:52 +00:00

Owner

Severity: Medium

Location

crates/hero_aibroker_lib/src/local_discovery.rs

Finding

The local discovery mechanism broadcasts service availability on the local network. There is no authentication or authorization for discovery responses:

Any service on the network can advertise itself
No verification that a discovered service is legitimate
Discovery responses may leak service topology information

Recommendation

Add discovery authentication (shared secret or signed responses)
Validate discovered services before registering them
Allow discovery to be disabled in sensitive environments

## Severity: Medium ## Location `crates/hero_aibroker_lib/src/local_discovery.rs` ## Finding The local discovery mechanism broadcasts service availability on the local network. There is no authentication or authorization for discovery responses: - Any service on the network can advertise itself - No verification that a discovered service is legitimate - Discovery responses may leak service topology information ## Recommendation - Add discovery authentication (shared secret or signed responses) - Validate discovered services before registering them - Allow discovery to be disabled in sensitive environments