Description
Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated attacker, given another user's thread_id, can execute graph runs against the user's thread, read the user's full checkpoint state, and inject arbitrary messages into the user's conversation history. This vulnerability is fixed in 0.9.7.
Published: 2026-05-14
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Aegra suffered an IDOR flaw that allows any authenticated attacker who knows another user’s thread_id to trigger graph runs, read the victim’s full checkpoint state, and inject arbitrary messages into the victim’s conversation history. This results in exposed personal data and the ability to alter the victim’s conversation flow, representing a significant breach of confidentiality, integrity, and availability. The weakness corresponds to the absence of proper authorization checks on the /threads/{thread_id}/runs endpoint, reflecting CWE‑285 and CWE‑639.

Affected Systems

The vulnerability affects the Aegra application in all releases prior to version 0.9.7. Instances running on a shared deployment with multiple authenticated users are at risk. No specific vendor product list beyond the Aegra entry is referenced.

Risk and Exploitability

With a CVSS score of 8.6 the complexity of exploitation is low, but the attack vector requires the attacker to be logged in and possess the target’s thread_id. While EPSS data is not available, the high static score and the lack of a public exploit indicate a potentially high risk for organizations that have not upgraded. The vulnerability is not yet listed in the CISA KEV catalog, but the impact warrants urgent attention.

Generated by OpenCVE AI on May 14, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Aegra version 0.9.7 or later, which removes the missing authorization check on the /threads/{thread_id}/runs endpoint.
  • Configure the deployment to isolate tenants or enforce strict access controls so that thread identifiers are not exposed across users.
  • If an upgrade is temporarily infeasible, disable the ability to create or run graph executions via the affected endpoint until a patch is applied.

Generated by OpenCVE AI on May 14, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m98r-6667-4wq7 Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR)
History

Sat, 16 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated attacker, given another user's thread_id, can execute graph runs against the user's thread, read the user's full checkpoint state, and inject arbitrary messages into the user's conversation history. This vulnerability is fixed in 0.9.7.
Title Aegra: Cross-user run injection in /threads/{thread_id}/runs (IDOR)
Weaknesses CWE-285
CWE-639
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-16T00:38:24.939Z

Reserved: 2026-05-06T18:28:20.886Z

Link: CVE-2026-44504

cve-icon Vulnrichment

Updated: 2026-05-16T00:38:20.005Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T16:16:24.380

Modified: 2026-05-14T18:13:33.660

Link: CVE-2026-44504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T17:45:25Z

Weaknesses