CVE-2026-44504
Aegra: Cross-user run injection in /threads/{thread_id}/runs (IDOR)
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated attacker, given another user's thread_id, can execute graph runs against the user's thread, read the user's full checkpoint state, and inject arbitrary messages into the user's conversation history. This vulnerability is fixed in 0.9.7.
| CWE | CWE-285 CWE-639 |
| Vendor | aegra |
| Product | aegra |
| Published | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for aegra aegra
Be the first to know when new unknown vulnerabilities affecting aegra aegra are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
aegra / aegra
< 0.9.7