CVE-2026-44504— Aegra: Cross-user run injection in /threads/{thread_id}/runs (IDOR)

Aegra: Cross-user run injection in /threads/{thread_id}/runs (IDOR)

Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated attacker, given another user's thread_id, can execute graph runs against the user's thread, read the user's full checkpoint state, and inject arbitrary messages into the user's conversation history. This vulnerability is fixed in 0.9.7.

N/A

授权机制不恰当

Aegra 授权问题漏洞

Aegra是Aegra公司的一个支持构建与编排多步骤智能代理流程的大模型应用平台。 Aegra 0.9.7之前版本存在授权问题漏洞，该漏洞源于共享实例上多个经过身份验证的用户存在跨租户IDOR，任何经过身份验证的攻击者给定其他用户的thread_id后可执行图运行、读取完整检查点状态并向用户对话历史注入任意消息。

N/A

N/A