Cross-Tenant IDOR Vulnerability in Aegra for Multi-User Deployments
CVE-2026-44504

8.6HIGH

Key Information:

Vendor: Aegra
Status: Aegra
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-44504?

A vulnerability exists in Aegra, a solution used for LangSmith Deployments, prior to version 0.9.7. This flaw allows multiple authenticated users on a shared instance to exploit cross-tenant scenarios. An attacker, with knowledge of another user's thread_id, can perform unauthorized actions such as executing graph runs on that user's thread, accessing their complete checkpoint state, and injecting arbitrary messages into their conversation history. This poses a significant risk to user data privacy and integrity. The issue has been addressed in version 0.9.7, and it is essential for users to update to this version to mitigate any potential exploitation.

Affected Version(s)

aegra < 0.9.7

References

https://github.com/aegra/aegra/security/advisories/GHSA-m...

x_refsource_CONFIRM

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44504 Data

JSON