{"id":14211310,"name":"github.com/getaxonflow/axonflow","ecosystem":"go","description":"","homepage":"https://github.com/getaxonflow/axonflow","licenses":"other","normalized_licenses":["Other"],"repository_url":"https://github.com/getaxonflow/axonflow","keywords_array":[],"namespace":"github.com/getaxonflow","versions_count":65,"first_release_published_at":"2025-12-14T20:26:39.000Z","latest_release_published_at":"2026-05-09T15:18:27.000Z","latest_release_number":"v7.9.0+incompatible","last_synced_at":"2026-05-17T11:20:30.518Z","created_at":"2026-04-09T08:31:43.107Z","updated_at":"2026-05-17T11:20:30.518Z","registry_url":"https://pkg.go.dev/github.com/getaxonflow/axonflow","install_command":"go get github.com/getaxonflow/axonflow","documentation_url":"https://pkg.go.dev/github.com/getaxonflow/axonflow#section-documentation","metadata":{},"repo_metadata":{"id":329436448,"uuid":"1108435661","full_name":"getaxonflow/axonflow","owner":"getaxonflow","description":"AxonFlow: Runtime control layer for production AI","archived":false,"fork":false,"pushed_at":"2026-05-03T01:13:25.000Z","size":13840,"stargazers_count":46,"open_issues_count":1,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-03T03:18:19.613Z","etag":null,"topics":["agent-runtime","agentic-ai","ai-control-plane","ai-governance","ai-observability","ai-orchestration","ai-workflow","deterministic-workflows","enterprise-ai","execution-engine","llm-security","mcp","multi-agent-systems","responsible-ai","runtime-infra","workflow-engine"],"latest_commit_sha":null,"homepage":"https://docs.getaxonflow.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/getaxonflow.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":"docs/governance/cost-controls.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-02T12:54:19.000Z","updated_at":"2026-05-03T01:13:28.000Z","dependencies_parsed_at":null,"dependency_job_id":"8a09a3a1-ef2b-46ed-827e-acf8d50e0116","html_url":"https://github.com/getaxonflow/axonflow","commit_stats":null,"previous_names":["getaxonflow/axonflow"],"tags_count":61,"template":false,"template_full_name":null,"purl":"pkg:github/getaxonflow/axonflow","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getaxonflow%2Faxonflow","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getaxonflow%2Faxonflow/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getaxonflow%2Faxonflow/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getaxonflow%2Faxonflow/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/getaxonflow","download_url":"https://codeload.github.com/getaxonflow/axonflow/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getaxonflow%2Faxonflow/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32717089,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-06T19:35:05.142Z","status":"ssl_error","status_checked_at":"2026-05-06T19:35:03.996Z","response_time":117,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"repo_metadata_updated_at":"2026-05-07T00:12:24.124Z","dependent_packages_count":0,"downloads":null,"downloads_period":null,"dependent_repos_count":0,"rankings":{"downloads":null,"dependent_repos_count":5.179348613755824,"dependent_packages_count":4.853181954503123,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":5.0162652841294735},"purl":"pkg:golang/github.com/getaxonflow/axonflow","advisories":[{"uuid":"GSA_kwCzR0hTQS05aDY0LTI4NDYtN3g3Zs4ABWWr","url":"https://github.com/advisories/GHSA-9h64-2846-7x7f","title":"Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening","description":"## Summary\n\nEight independently-filed bug fixes in the v7.1.3 → v7.5.0 release window collectively close a set of multi-tenant isolation, access-control, and policy-enforcement defects in the AxonFlow platform. They are filed as a single consolidated advisory because the recommended remediation is a single platform upgrade.\n\n## Affected versions\n\n`\u003c 7.5.0`. Specific items affect different earlier minors; see Impact below.\n\n## Patched versions\n\n`\u003e= 7.5.0`.\n\n## Impact\n\n| # | Item | Affected | Patched | CWE |\n|---|---|---|---|---|\n| 1 | **MAP execution multi-tenant isolation.** A body-supplied `org_id` could override the Basic-auth-derived org for both execution recording and policy evaluation. In multi-tenant deployments with shared agents, this could record one tenant's request under another tenant's audit log and evaluate it under the wrong tenant's policy set. | `\u003c 7.4.5` | `\u003e= 7.4.5` | CWE-863 |\n| 2 | **Cross-tenant audit-log leak via evidence/explain handlers.** The handlers behind `/api/v1/evidence/*` and `/api/v1/decisions/*/explain` failed open when the tenant context was missing, returning data scoped to a different tenant or returning data without scope. | `\u003c 7.2.0` | `\u003e= 7.2.0` | CWE-200, CWE-863 |\n| 3 | **License-validation bypass on `onboard-customer`.** The portal customer-onboard endpoint lacked authentication and license-key validation, allowing unauthenticated callers to invoke the onboard flow. | `\u003c 7.2.0` | `\u003e= 7.2.0` | CWE-862 |\n| 4 | **Tenant-scope fail-open on evidence/explain.** Distinct from item 2: when tenant headers were absent, the handler defaulted to a permissive read scope rather than refusing the request. | `\u003c 7.2.0` | `\u003e= 7.2.0` | CWE-862 |\n| 5 | **Internal-service auth fallback bypass in non-Community modes.** Evaluation/Enterprise builds carried an auth fallback path that, under specific request shapes, could be exploited to bypass `apiAuthMiddleware`. | `\u003c 7.2.0` | `\u003e= 7.2.0` | CWE-863 |\n| 6 | **Login timing / org-existence disclosure on the portal.** The login handler returned different timing and response bodies for invalid-org vs invalid-password, allowing org enumeration. | `\u003c 7.1.3` | `\u003e= 7.1.3` | CWE-208 |\n| 7 | **Portal DoS via unbounded request body.** The portal accepted unbounded request bodies, allowing memory-exhaustion attacks. Capped at 1 MiB. | `\u003c 7.1.5` | `\u003e= 7.1.5` | CWE-770 |\n| 8 | **SQL-injection enforcement regression on `try.getaxonflow.com`.** The Community SaaS hosted endpoint inherited the `warn` SQLi default introduced in v6.2.0, allowing SQL-injection-shaped requests to pass governance to the LLM. Self-hosted deployments were unaffected unless they manually changed the default. | `\u003c 7.5.0` (try.getaxonflow.com only) | `\u003e= 7.5.0` | CWE-89 |\n\n## Remediation\n\nUpgrade to AxonFlow platform **v7.5.0** or later. No configuration changes required — the platform is purely additive and existing API/SDK callers continue to work.\n\nFor users who can't upgrade immediately, item-specific mitigations:\n\n- **Items 1–5:** ensure the agent middleware sets `X-Org-ID` / `X-Tenant-ID` from authenticated identity at the ingress, never accepting body-supplied identity.\n- **Item 8 (Community SaaS):** `SQLI_ACTION=block` can be set explicitly via the agent task definition; v7.5.0 makes this the default.\n\n## Resources\n\n- AxonFlow v7.5.0 CHANGELOG entry: https://github.com/getaxonflow/axonflow/blob/main/CHANGELOG.md\n- AxonFlow v7.5.0 GitHub Release: https://github.com/getaxonflow/axonflow/releases/tag/v7.5.0\n\n## Credit\n\nIdentified by AxonFlow internal security review during the April 2026 quality-freeze epic.","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2026-05-06T23:13:27.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":9.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L","references":["https://github.com/getaxonflow/axonflow/security/advisories/GHSA-9h64-2846-7x7f","https://github.com/getaxonflow/axonflow/blob/main/CHANGELOG.md","https://github.com/getaxonflow/axonflow/releases/tag/v7.5.0","https://github.com/advisories/GHSA-9h64-2846-7x7f"],"source_kind":"github","identifiers":["GHSA-9h64-2846-7x7f"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-07T00:00:09.403Z","updated_at":"2026-05-07T07:00:09.879Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05aDY0LTI4NDYtN3g3Zs4ABWWr","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS05aDY0LTI4NDYtN3g3Zs4ABWWr","packages":[{"ecosystem":"go","package_name":"github.com/getaxonflow/axonflow","versions":[{"first_patched_version":"7.5.0","vulnerable_version_range":"\u003c 7.5.0"}],"purl":"pkg:go/github.com%2Fgetaxonflow%2Faxonflow"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05aDY0LTI4NDYtN3g3Zs4ABWWr/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/go/github.com/getaxonflow/axonflow","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/go/github.com/getaxonflow/axonflow","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/go/github.com/getaxonflow/axonflow/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2026-05-03T05:26:08.827Z","issues_count":0,"pull_requests_count":16,"avg_time_to_close_issue":null,"avg_time_to_close_pull_request":14991.5625,"issues_closed_count":0,"pull_requests_closed_count":16,"pull_request_authors_count":2,"issue_authors_count":0,"avg_comments_per_issue":null,"avg_comments_per_pull_request":0.125,"merged_pull_requests_count":14,"bot_issues_count":0,"bot_pull_requests_count":1,"past_year_issues_count":0,"past_year_pull_requests_count":16,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":14991.5625,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":16,"past_year_pull_request_authors_count":2,"past_year_issue_authors_count":0,"past_year_avg_comments_per_issue":null,"past_year_avg_comments_per_pull_request":0.125,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":1,"past_year_merged_pull_requests_count":14,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/getaxonflow%2Faxonflow/issues","maintainers":[{"login":"saurabhjain1592","count":15,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/saurabhjain1592"}],"active_maintainers":[{"login":"saurabhjain1592","count":15,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/saurabhjain1592"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fgetaxonflow%2Faxonflow/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fgetaxonflow%2Faxonflow/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fgetaxonflow%2Faxonflow/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fgetaxonflow%2Faxonflow/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fgetaxonflow%2Faxonflow/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fgetaxonflow%2Faxonflow/codemeta","maintainers":[]}