engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection
The local HTTP server started by engram server (binding 127.0.0.1:7337 by default) was exposed to any browser origin with no authentication unless ENGRAM_API_TOKEN was explicitly set. Combined with Access-Control-Allow-Origin: * on every response and a body parser that did not require Content-Type: application/json, this allowed a malicious web page the developer visited to: Exfiltrate the local knowledge graph via GET /query and GET /stats (function names, file layout, recorded decisions/mistakes). …