Aegra Cross-Tenant Insecure Direct Object Reference Vulnerability Allowing Unauthorized Access to User Data and Actions

A cross-tenant insecure direct object reference (IDOR) vulnerability has been identified in Aegra versions prior to 0.9.7. This issue allows authenticated users on a shared instance to access and manipulate another user's data. By exploiting this vulnerability, an authenticated user can execute graph runs on behalf of another user, access their full checkpoint state, and inject arbitrary messages into their conversation history. The vulnerability arises because the application lacks proper authorization checks on key endpoints, allowing unauthorized access to user-specific resources.

Impact

Exploitation of this vulnerability allows for unauthorized access to another user's threads, including the ability to execute graph runs, read checkpoint states, and inject messages into conversations. Additionally, the vulnerability could be exploited to bypass visibility into the user's thread activity.

Reproduction

To reproduce this vulnerability, an authenticated user must obtain another user's thread ID, which can be accessed through frontend URLs, server logs, or shared links. Once the thread ID is acquired, the user can send a request to the '/threads/{thread_id}/runs' endpoint to execute a graph run on the targeted thread. The run's output will include the user's checkpoint state, and any messages injected during the process will be added to the user's conversation history. This vulnerability can also be reproduced using the streaming variant, which immediately returns the entire messages array upon connection, without requiring graph execution.

Remediation

Users can upgrade to Aegra version 0.9.7 or later, where this vulnerability has been fixed. If an immediate upgrade is not possible, a custom authorization handler can be registered to verify thread ownership before allowing run creation. This handler should check that the authenticated user owns the thread, raising a 404 error if they do not.