Description
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.3, a Langroid application exposing a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads, even when tools are registered with `use=False, handle=True`. Version 0.65.3 fixes the issue.
Published: 2026-07-09
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gjgq-w2m6-wr5q Langroid: handle_message() executes user-supplied tool JSON without sender verification
History

Fri, 10 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Langroid
Langroid langroid
Vendors & Products Langroid
Langroid langroid

Fri, 10 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Description Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.3, a Langroid application exposing a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads, even when tools are registered with `use=False, handle=True`. Version 0.65.3 fixes the issue.
Title Langroid: handle_message() executes user-supplied tool JSON without sender verification
Weaknesses CWE-75
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

Langroid Langroid
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-09T23:52:11.014Z

Reserved: 2026-06-15T23:23:57.713Z

Link: CVE-2026-54771

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T01:30:03Z

Weaknesses
  • CWE-75

    Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)