CVE-2026-44504 | THREATINT

Description

Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated attacker, given another user's thread_id, can execute graph runs against the user's thread, read the user's full checkpoint state, and inject arbitrary messages into the user's conversation history. This vulnerability is fixed in 0.9.7.

PUBLISHED Reserved 2026-05-06 | Published 2026-05-14 | Updated 2026-05-16 | Assigner GitHub_M

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-285: Improper Authorization

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

< 0.9.7

affected

References

github.com/.../aegra/security/advisories/GHSA-m98r-6667-4wq7

cve.org (CVE-2026-44504)

nvd.nist.gov (CVE-2026-44504)

Download JSON