Skip to main content

Aegra CVE-2026-44504

| EUVDEUVD-2026-30322 HIGH
Improper Authorization (CWE-285)
2026-05-07 https://github.com/aegra/aegra GHSA-m98r-6667-4wq7
8.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 14, 2026 - 16:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 14, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 14, 2026 - 16:22 NVD
8.6 (HIGH)
Source Code Evidence Fetched
May 07, 2026 - 02:16 vuln.today
Analysis Generated
May 07, 2026 - 02:16 vuln.today
CVE Published
May 07, 2026 - 01:49 nvd
HIGH

DescriptionGitHub Advisory

Impact

Aegra deployments running 0.9.0 through 0.9.6 with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated user (User A), given another user's thread_id (User B), can:

  • Execute graph runs against User B's thread via POST /threads/{thread_id}/runs, POST /threads/{thread_id}/runs/stream, or POST /threads/{thread_id}/runs/wait
  • Read User B's full checkpoint state via the resulting run's output field
  • Inject arbitrary messages into User B's conversation history (persisted in B's checkpoint)
  • Hide their activity from User B's GET /threads/{thread_id}/runs listing because the run carries A's user_id

The streaming variant is worse - the first SSE event: values frame returns the entire prior messages array immediately on connection, no graph execution needed.

Thread IDs are UUIDs but leak through frontend URLs, server logs, observability traces, and shared links. Guessing is not required.

Patches

Fixed in 0.9.7. The three affected endpoints now perform an SQL-level user_id == authenticated_user.identity check before calling _prepare_run. When the thread exists but is owned by another user, the response is 404 Thread not found (matching the read-side pattern) to avoid leaking thread existence.

Workarounds

If upgrade is not immediately possible, register an @auth.on("threads", "create_run") handler that explicitly verifies thread ownership against the authenticated identity before allowing the operation. Without a handler, no built-in authorization runs on these write paths.

Example mitigation handler:

python
from langgraph_sdk import Auth

auth = Auth()

@auth.on("threads", "create_run")
async def enforce_thread_owner(ctx: Auth.types.AuthContext, value: dict):
# Look up the thread, raise 404 if not owned by ctx.user.identity.
# Implementation depends on your data layer.
    ...

Root cause

Aegra's authorization model delegates per-resource policy to user-defined @auth.on handlers. When no handler is registered, handle_event(...) returns None and the request proceeds (default-allow). Read endpoints in api/threads.py add a defense-in-depth user_id filter at the SQL layer, but the run-creation endpoints in api/runs.py skipped that filter. Result: out-of-the-box deployments without custom auth handlers were vulnerable.

Affected endpoints

  • POST /threads/{thread_id}/runs
  • POST /threads/{thread_id}/runs/stream
  • POST /threads/{thread_id}/runs/wait

Stateless variants (POST /runs, POST /runs/wait, POST /runs/stream) are NOT affected - they generate a fresh thread_id server-side and never accept a caller-supplied one.

Credits

  • @JoJoTheBizarre - discovered and reported the vulnerability with a precise reproducer (#336)
  • @victorjmarin and @jawhardjebbi - wrote the fix and added test coverage at unit, integration, and manual-auth e2e levels (#337)

Resources

  • Issue: https://github.com/aegra/aegra/issues/336
  • Fix PR: https://github.com/aegra/aegra/pull/337
  • Release: https://github.com/aegra/aegra/releases/tag/v0.9.7

AnalysisAI

Cross-tenant Insecure Direct Object Reference (IDOR) in Aegra 0.9.0-0.9.6 allows any authenticated user to execute graph runs against other users' threads, exfiltrate full checkpoint state including conversation histories, and inject malicious messages into victims' threads by supplying known thread UUIDs to POST /threads/{thread_id}/runs endpoints. Thread IDs leak through frontend URLs, server logs, and observability traces, eliminating need for enumeration. Vendor-released patch (v0.9.7) confirmed by GitHub advisory GHSA-m98r-6667-4wq7. No active exploitation or POC identified at time of analysis, though detailed reproducer exists in issue #336.

Technical ContextAI

Aegra is a Python-based graph execution framework built on LangGraph SDK (pkg:pip/aegra-api) using a pluggable authorization model via @auth.on handlers. CWE-285 (Improper Authorization) manifests as missing SQL-level user_id filters in api/runs.py endpoints that create graph runs from caller-supplied thread_id parameters. While read endpoints (api/threads.py) enforce defense-in-depth SQL ownership checks (WHERE user_id = authenticated_user.identity), the three write endpoints (create_run, create_and_stream_run, wait_for_run) relied solely on optional user-defined @auth.on handlers. Aegra's default-allow model (when no handler is registered, handle_event() returns None and permits the request) left out-of-the-box multi-tenant deployments unprotected. The streaming variant (POST /threads/{thread_id}/runs/stream) leaks data immediately upon SSE connection in the first event: values frame without requiring graph execution. Thread UUIDs are not secret - they appear in URLs, logs, tracing spans, and shared links, making horizontal privilege escalation trivial for any authenticated user.

RemediationAI

Upgrade to Aegra 0.9.7 or later immediately for multi-tenant deployments (fixed package available at https://github.com/aegra/aegra/releases/tag/v0.9.7, fix commit: https://github.com/aegra/aegra/commit/e1b2042254fd49072ca281bc35b3f2a3bed74b31). Patch adds SQL-level user_id ownership verification to POST /threads/{thread_id}/runs, POST /threads/{thread_id}/runs/stream, and POST /threads/{thread_id}/runs/wait before run preparation, returning 404 for cross-user access attempts to prevent thread existence disclosure. If immediate upgrade is blocked, deploy compensating control by registering an @auth.on("threads", "create_run") handler that queries the thread table and raises HTTP 404 if thread.user_id != ctx.user.identity (example implementation in vendor advisory). Trade-off: custom handler adds latency to every run creation and requires maintaining auth logic in application code. Verify fix effectiveness by testing cross-user thread access returns 404 using test vectors from PR #337 (https://github.com/aegra/aegra/pull/337). No configuration changes or data migration required. Validate upgraded instances by confirming StreamingResponse returns 404 on event stream connection for foreign thread_id before emitting SSE frames.

CVE-2017-1000083 HIGH POC
7.8 Sep 05

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e

CVE-2024-3568 CRITICAL POC
9.6 Apr 10

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data

CVE-2026-24747 HIGH POC
8.8 Jan 27

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

CVE-2022-41604 HIGH POC
8.8 Sep 27

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever

CVE-2024-24919 HIGH POC
8.6 May 28

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte

CVE-2026-58659 HIGH POC
8.4 Jul 15

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che

CVE-2019-8461 HIGH POC
7.8 Aug 29

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo

CVE-2019-8452 HIGH POC
7.8 Apr 22

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien

CVE-2013-7350 CRITICAL
10.0 Apr 01

Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef

CVE-2026-31214 CRITICAL
9.8 May 12

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec

CVE-2019-8459 CRITICAL
9.8 Jun 20

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us

CVE-2026-31222 HIGH
8.8 May 12

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin

Share

CVE-2026-44504 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy