CVE-2026-29791

MEDIUM WAF: Medium

CVSS 6.5 Published: 2026-03-06

CWE-20

Agentgateway is an open source data plane for agentic AI connectivity within or across any agent framework or environment. Prior to version 0.12.0, when converting MCP tools/call request to OpenAPI request, input path, query, and header values are not sanitized. This issue has been patched in version 0.12.0.

WAF Coverage Analysis

Improper Input Validation Medium WAF Coverage

OWASP: A03:2021 Injection

920xxx - Protocol Enforcement 941xxx - XSS / XXE 942xxx - SQL Injection

Affected Software

Vendor	Product	Version
lfprojects	agentgateway	up to 0.12.0

References

github.com (Vendor Advisory)

Back to CVE Database