{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29791", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T16:26:02.900Z", "datePublished": "2026-03-06T20:39:40.852Z", "dateUpdated": "2026-03-09T20:54:30.319Z"}, "containers": {"cna": {"title": "Agentgateway: Missing parameter sanitization in MCP to OpenAPI conversion", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/agentgateway/agentgateway/security/advisories/GHSA-v2x6-wwfw-r2rq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/agentgateway/agentgateway/security/advisories/GHSA-v2x6-wwfw-r2rq"}], "affected": [{"vendor": "agentgateway", "product": "agentgateway", "versions": [{"version": "< 0.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T20:39:40.852Z"}, "descriptions": [{"lang": "en", "value": "Agentgateway is an open source data plane for agentic AI connectivity within or across any agent framework or environment. Prior to version 0.12.0, when converting MCP tools/call request to OpenAPI request, input path, query, and header values are not sanitized. This issue has been patched in version 0.12.0."}], "source": {"advisory": "GHSA-v2x6-wwfw-r2rq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29791", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:50:18.880504Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:54:30.319Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29791", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:50:18.880504Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:51:42.473Z"}}], "cna": {"title": "Agentgateway: Missing parameter sanitization in MCP to OpenAPI conversion", "source": {"advisory": "GHSA-v2x6-wwfw-r2rq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "agentgateway", "product": "agentgateway", "versions": [{"status": "affected", "version": "< 0.12.0"}]}], "references": [{"url": "https://github.com/agentgateway/agentgateway/security/advisories/GHSA-v2x6-wwfw-r2rq", "name": "https://github.com/agentgateway/agentgateway/security/advisories/GHSA-v2x6-wwfw-r2rq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Agentgateway is an open source data plane for agentic AI connectivity within or across any agent framework or environment. Prior to version 0.12.0, when converting MCP tools/call request to OpenAPI request, input path, query, and header values are not sanitized. This issue has been patched in version 0.12.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T20:39:40.852Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29791", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:54:30.319Z", "dateReserved": "2026-03-04T16:26:02.900Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T20:39:40.852Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:agentgateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "C039D59A-DC0B-4CFA-B237-1C313AB26082", "versionEndExcluding": "0.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Agentgateway is an open source data plane for agentic AI connectivity within or across any agent framework or environment. Prior to version 0.12.0, when converting MCP tools/call request to OpenAPI request, input path, query, and header values are not sanitized. This issue has been patched in version 0.12.0."}, {"lang": "es", "value": "Agentgateway es un plano de datos de c\u00f3digo abierto para la conectividad de IA ag\u00e9ntica dentro o a trav\u00e9s de cualquier framework o entorno de agente. Antes de la versi\u00f3n 0.12.0, al convertir solicitudes de herramientas/llamadas MCP a solicitudes OpenAPI, los valores de ruta de entrada, consulta y encabezado no se desinfectan. Este problema ha sido parcheado en la versi\u00f3n 0.12.0."}], "id": "CVE-2026-29791", "lastModified": "2026-03-18T19:03:44.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-06T21:16:15.787", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/agentgateway/agentgateway/security/advisories/GHSA-v2x6-wwfw-r2rq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.12.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "agentgateway", "source": "cna", "vendor": "agentgateway"}, "product": "agentgateway", "vendor": "agentgateway"}], "analysis": {"en": {"generated_at": "2026-04-16T11:12:21.051438+00:00", "value": {"mitigation_remediation": ["Upgrade Agentgateway to version 0.12.0 or later, which includes the input sanitization fixes for MCP to OpenAPI conversion.", "If upgrade cannot be applied immediately, restrict network access to the MCP endpoint so that only trusted hosts can send conversion requests, reducing the attack surface.", "Implement custom input validation or sanitization for path, query, and header values before they are passed to the OpenAPI converter, ensuring that only expected characters and formats are accepted."], "summary": {"action": "Apply Patch", "impact": "Injection"}, "threat_synthesis": {"affected_systems": "All installations of Agentgateway older than version 0.12.0. The affected product is the open\u2011source data plane component named Agentgateway, as listed by the CNA vendor product pair agentgateway:agentgateway. No other vendor or product variants are referenced in the advisory.", "description_and_impact": "Agentgateway allows external systems to convert MCP tool calls into OpenAPI requests. In versions earlier than 0.12.0, the conversion process fails to sanitize input values for path segments, query parameters, and headers, creating a classic input validation flaw (CWE\u201120). An attacker who can supply crafted MCP calls may cause the generated OpenAPI request to contain malformed or malicious values, potentially leading to unintended API behavior, information disclosure, or denial of service.", "risk_and_exploitability": "The CVSS score of 4.9 indicates a moderate risk, and the EPSS score of less than 1% suggests the likelihood of real\u2011world exploitation is very low at present. The vulnerability is not currently listed in the CISA KEV catalog, further indicating limited exploitation activity. If an attacker can reach the MCP interface, they can manipulate the OpenAPI request generation, though this does not immediately grant arbitrary code execution. The principal risk lies in accidental or malicious alteration of downstream API requests."}}}}, "created": "2026-03-09T10:06:58.355478+00:00", "updated": "2026-04-16T11:15:27.690650+00:00", "vendors": ["agentgateway", "agentgateway$PRODUCT$agentgateway"]}