Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Impact
Aegra deployments running 0.9.0 through 0.9.6 with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated user (User A), given another user's thread_id (User B), can:
- Execute graph runs against User B's thread via
POST /threads/{thread_id}/runs,POST /threads/{thread_id}/runs/stream, orPOST /threads/{thread_id}/runs/wait - Read User B's full checkpoint state via the resulting run's
outputfield - Inject arbitrary messages into User B's conversation history (persisted in B's checkpoint)
- Hide their activity from User B's
GET /threads/{thread_id}/runslisting because the run carries A'suser_id
The streaming variant is worse - the first SSE event: values frame returns the entire prior messages array immediately on connection, no graph execution needed.
Thread IDs are UUIDs but leak through frontend URLs, server logs, observability traces, and shared links. Guessing is not required.
Patches
Fixed in 0.9.7. The three affected endpoints now perform an SQL-level user_id == authenticated_user.identity check before calling _prepare_run. When the thread exists but is owned by another user, the response is 404 Thread not found (matching the read-side pattern) to avoid leaking thread existence.
Workarounds
If upgrade is not immediately possible, register an @auth.on("threads", "create_run") handler that explicitly verifies thread ownership against the authenticated identity before allowing the operation. Without a handler, no built-in authorization runs on these write paths.
Example mitigation handler:
from langgraph_sdk import Auth
auth = Auth()
@auth.on("threads", "create_run")
async def enforce_thread_owner(ctx: Auth.types.AuthContext, value: dict):
# Look up the thread, raise 404 if not owned by ctx.user.identity.
# Implementation depends on your data layer.
...Root cause
Aegra's authorization model delegates per-resource policy to user-defined @auth.on handlers. When no handler is registered, handle_event(...) returns None and the request proceeds (default-allow). Read endpoints in api/threads.py add a defense-in-depth user_id filter at the SQL layer, but the run-creation endpoints in api/runs.py skipped that filter. Result: out-of-the-box deployments without custom auth handlers were vulnerable.
Affected endpoints
POST /threads/{thread_id}/runsPOST /threads/{thread_id}/runs/streamPOST /threads/{thread_id}/runs/wait
Stateless variants (POST /runs, POST /runs/wait, POST /runs/stream) are NOT affected - they generate a fresh thread_id server-side and never accept a caller-supplied one.
Credits
- @JoJoTheBizarre - discovered and reported the vulnerability with a precise reproducer (#336)
- @victorjmarin and @jawhardjebbi - wrote the fix and added test coverage at unit, integration, and manual-auth e2e levels (#337)
Resources
- Issue: https://github.com/aegra/aegra/issues/336
- Fix PR: https://github.com/aegra/aegra/pull/337
- Release: https://github.com/aegra/aegra/releases/tag/v0.9.7
AnalysisAI
Cross-tenant Insecure Direct Object Reference (IDOR) in Aegra 0.9.0-0.9.6 allows any authenticated user to execute graph runs against other users' threads, exfiltrate full checkpoint state including conversation histories, and inject malicious messages into victims' threads by supplying known thread UUIDs to POST /threads/{thread_id}/runs endpoints. Thread IDs leak through frontend URLs, server logs, and observability traces, eliminating need for enumeration. Vendor-released patch (v0.9.7) confirmed by GitHub advisory GHSA-m98r-6667-4wq7. No active exploitation or POC identified at time of analysis, though detailed reproducer exists in issue #336.
Technical ContextAI
Aegra is a Python-based graph execution framework built on LangGraph SDK (pkg:pip/aegra-api) using a pluggable authorization model via @auth.on handlers. CWE-285 (Improper Authorization) manifests as missing SQL-level user_id filters in api/runs.py endpoints that create graph runs from caller-supplied thread_id parameters. While read endpoints (api/threads.py) enforce defense-in-depth SQL ownership checks (WHERE user_id = authenticated_user.identity), the three write endpoints (create_run, create_and_stream_run, wait_for_run) relied solely on optional user-defined @auth.on handlers. Aegra's default-allow model (when no handler is registered, handle_event() returns None and permits the request) left out-of-the-box multi-tenant deployments unprotected. The streaming variant (POST /threads/{thread_id}/runs/stream) leaks data immediately upon SSE connection in the first event: values frame without requiring graph execution. Thread UUIDs are not secret - they appear in URLs, logs, tracing spans, and shared links, making horizontal privilege escalation trivial for any authenticated user.
RemediationAI
Upgrade to Aegra 0.9.7 or later immediately for multi-tenant deployments (fixed package available at https://github.com/aegra/aegra/releases/tag/v0.9.7, fix commit: https://github.com/aegra/aegra/commit/e1b2042254fd49072ca281bc35b3f2a3bed74b31). Patch adds SQL-level user_id ownership verification to POST /threads/{thread_id}/runs, POST /threads/{thread_id}/runs/stream, and POST /threads/{thread_id}/runs/wait before run preparation, returning 404 for cross-user access attempts to prevent thread existence disclosure. If immediate upgrade is blocked, deploy compensating control by registering an @auth.on("threads", "create_run") handler that queries the thread table and raises HTTP 404 if thread.user_id != ctx.user.identity (example implementation in vendor advisory). Trade-off: custom handler adds latency to every run creation and requires maintaining auth logic in application code. Verify fix effectiveness by testing cross-user thread access returns 404 using test vectors from PR #337 (https://github.com/aegra/aegra/pull/337). No configuration changes or data migration required. Validate upgraded instances by confirming StreamingResponse returns 404 on event stream connection for foreign thread_id before emitting SSE frames.
More in Checkpoint
View allbackend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data
PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]
Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che
Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien
Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec
Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us
Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30322
GHSA-m98r-6667-4wq7