High severityGHSA Advisory· Published May 14, 2026· Updated May 14, 2026
CVE-2026-44504
CVE-2026-44504
Description
Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated attacker, given another user's thread_id, can execute graph runs against the user's thread, read the user's full checkpoint state, and inject arbitrary messages into the user's conversation history. This vulnerability is fixed in 0.9.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aegra-apiPyPI | >= 0.9.0, < 0.9.7 | 0.9.7 |
Affected products
2Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-m98r-6667-4wq7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-44504ghsaADVISORY
- github.com/aegra/aegra/commit/e1b2042254fd49072ca281bc35b3f2a3bed74b31ghsaWEB
- github.com/aegra/aegra/issues/336ghsaWEB
- github.com/aegra/aegra/pull/337ghsaWEB
- github.com/aegra/aegra/releases/tag/v0.9.7ghsaWEB
- github.com/aegra/aegra/security/advisories/GHSA-m98r-6667-4wq7nvdWEB
News mentions
0No linked articles in our index yet.