<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Langroid (&lt;= 0.65.2) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/langroid--0.65.2/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 20:45:48 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/langroid--0.65.2/feed.xml" rel="self" type="application/rss+xml"/><item><title>Langroid Tool Invocation Bypass via Unverified User Messages (CVE-2026-54771)</title><link>https://feed.craftedsignal.io/briefs/2026-07-langroid-tool-invocation-bypass/</link><pubDate>Mon, 06 Jul 2026 20:45:48 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-langroid-tool-invocation-bypass/</guid><description>A high-severity vulnerability, CVE-2026-54771, in Langroid applications allows untrusted users to directly invoke internal tools via raw JSON payloads, even when these tools are configured not to be used by the LLM, enabling malicious actors to bypass security controls and execute sensitive operations like file read/write, database queries, or access to internal orchestration tools.</description><content:encoded><![CDATA[<p>A critical logic flaw (CVE-2026-54771) has been identified in Langroid applications, affecting versions up to and including 0.65.2. This vulnerability allows untrusted users interacting with a chat interface to directly invoke internal application tools by supplying raw JSON payloads. The <code>handle_message()</code> function within the <code>ChatAgent</code> lacks proper sender verification, permitting tools registered with <code>use=False, handle=True</code> to be executed, which developers might mistakenly believe are protected from direct user invocation. This bypass of intended security controls can lead to unauthorized actions such as file system manipulation, database command execution, or control over internal orchestration tools, posing a significant risk of remote code execution or sensitive data compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker, as an untrusted user, interacts with a vulnerable Langroid chat application.</li>
<li>The attacker crafts a malicious chat message containing a raw JSON payload designed to invoke a specific internal tool, for example, <code>{&quot;request&quot;:&quot;secret_tool&quot;,&quot;value&quot;:&quot;pwned&quot;}</code>.</li>
<li>The Langroid <code>ChatAgent</code> receives the user's message as input.</li>
<li>The <code>agent.handle_message()</code> function is called to process the user's input.</li>
<li>Inside <code>handle_message()</code>, the <code>get_tool_messages()</code> method parses the raw JSON from the user message, identifying it as a valid <code>ToolMessage</code> invocation.</li>
<li>Despite the tool (e.g., <code>SecretTool</code>) being configured with <code>use=False, handle=True</code>, indicating it should not be directly generated by the LLM or exposed to end-users, its <code>handle()</code> method is directly executed.</li>
<li>The <code>handle()</code> method performs its intended action, which, depending on the tool, could include reading/writing files, executing database queries, or interacting with internal systems.</li>
<li>The attacker successfully bypasses security mechanisms to achieve unauthorized execution of internal tools, potentially leading to remote code execution or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of CVE-2026-54771 can be severe, leading to significant compromise of affected systems. Depending on the specific internal tools enabled within the Langroid application, attackers could achieve capabilities such as arbitrary file read and write, direct execution of database queries, or unauthorized access to and manipulation of internal orchestration systems. This could result in sensitive data exfiltration, system defacement, denial of service, or full remote code execution, undermining the integrity, confidentiality, and availability of the application and underlying infrastructure. Developers may have registered these tools with the belief that <code>use=False</code> provides sufficient protection, making this vulnerability particularly insidious.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch Langroid applications to a version greater than 0.65.2 to address CVE-2026-54771.</li>
<li>Review all <code>enable_message</code> configurations within your Langroid applications, especially for sensitive tools, to ensure that only trusted entities can invoke them.</li>
<li>Implement robust input validation and sanitization at the application boundary for all user-supplied chat inputs to prevent raw JSON tool payloads from reaching the <code>handle_message()</code> function.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>langroid</category><category>vulnerability</category><category>rce</category><category>logic-error</category><category>python</category></item></channel></rss>