CVE-2026-44504: Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR)
Aegra deployments running 0.9.0 through 0.9.6 with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated user (User A), given another user’s thread_id (User B), can:
- Execute graph runs against User B’s thread via
POST /threads/{thread_id}/runs,POST /threads/{thread_id}/runs/stream, orPOST /threads/{thread_id}/runs/wait - Read User B’s full checkpoint state via the resulting run’s
outputfield - Inject arbitrary messages into User B’s conversation history (persisted in B’s checkpoint)
- Hide their activity from User B’s
GET /threads/{thread_id}/runslisting because the run carries A’suser_id
The streaming variant is worse — the first SSE event: values frame returns the entire prior messages array immediately on connection, no graph execution needed.
Thread IDs are UUIDs but leak through frontend URLs, server logs, observability traces, and shared links. Guessing is not required.
References
- github.com/advisories/GHSA-m98r-6667-4wq7
- github.com/aegra/aegra
- github.com/aegra/aegra/commit/e1b2042254fd49072ca281bc35b3f2a3bed74b31
- github.com/aegra/aegra/issues/336
- github.com/aegra/aegra/pull/337
- github.com/aegra/aegra/releases/tag/v0.9.7
- github.com/aegra/aegra/security/advisories/GHSA-m98r-6667-4wq7
- nvd.nist.gov/vuln/detail/CVE-2026-44504
Code Behaviors & Features
Detect and mitigate CVE-2026-44504 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →