The ADK for Java dev web server (the local "adk web" UI / REST API a developer runs to interact with an agent) accepts requests from any origin on both its WebSocket and its REST API, and it has no authentication. The /run_live WebSocket handler is registered with setAllowedOrigins("*"), which disables the server-side origin check, and the REST CORS configuration defaults to origins = List.of("*"). As a result, any website a developer visits while the dev server is running can, with no DNS rebinding and no credentials: open the /run_live WebSocket and drive the agent (send turns that trigger the agent's tools and read the streamed responses), and read the REST API responses cross-origin (list/read sessions, read artifacts, run output).
Unlike the equivalent issue in ADK for Go (where the WebSocket relies on the framework's default same-origin check and a browser attack requires DNS rebinding), here the wildcard origin is explicit, so a plain cross-origin connection from any page succeeds.
The ADK for Java dev web server (the local "adk web" UI / REST API a developer runs to interact with an agent) accepts requests from any origin on both its WebSocket and its REST API, and it has no authentication. The
/run_liveWebSocket handler is registered withsetAllowedOrigins("*"), which disables the server-side origin check, and the REST CORS configuration defaults toorigins = List.of("*"). As a result, any website a developer visits while the dev server is running can, with no DNS rebinding and no credentials: open the/run_liveWebSocket and drive the agent (send turns that trigger the agent's tools and read the streamed responses), and read the REST API responses cross-origin (list/read sessions, read artifacts, run output).Unlike the equivalent issue in ADK for Go (where the WebSocket relies on the framework's default same-origin check and a browser attack requires DNS rebinding), here the wildcard origin is explicit, so a plain cross-origin connection from any page succeeds.