Vulnerability	Vulnerable Version
H Authorization Bypass Through User-Controlled Key aegra-api is an Aegra core API - Self-hosted Agent Protocol server Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the `POST /threads/{thread_id}/runs`, `POST /threads/{thread_id}/runs/stream`, and `POST /threads/{thread_id}/runs/wait` endpoints when thread ownership is not properly verified against the authenticated user. An attacker can gain unauthorized access to another user's thread data, execute actions on behalf of other users, and read or inject messages into another user's conversation history by supplying a valid `thread_id` belonging to a different user. This is only exploitable if the deployment has multiple authenticated users on a shared instance and no custom authorization handler is registered for thread run creation. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `aegra-api` to version 0.9.7 or higher.	[0.9.0,0.9.7)

Authorization Bypass Through User-Controlled Key

aegra-api is an Aegra core API - Self-hosted Agent Protocol server

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the POST /threads/{thread_id}/runs, POST /threads/{thread_id}/runs/stream, and POST /threads/{thread_id}/runs/wait endpoints when thread ownership is not properly verified against the authenticated user. An attacker can gain unauthorized access to another user's thread data, execute actions on behalf of other users, and read or inject messages into another user's conversation history by supplying a valid thread_id belonging to a different user. This is only exploitable if the deployment has multiple authenticated users on a shared instance and no custom authorization handler is registered for thread run creation.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade aegra-api to version 0.9.7 or higher.

[0.9.0,0.9.7)

Go back to all versions of this package