CVE-2026-29791 Overview
Agentgateway, an open source data plane for agentic AI connectivity within or across any agent framework or environment, contains an improper input validation vulnerability prior to version 0.12.0. When converting MCP (Model Context Protocol) tools/call requests to OpenAPI requests, the input path, query, and header values are not properly sanitized. This allows attackers to potentially inject malicious content through these unsanitized parameters, which could lead to security issues in downstream API interactions.
Critical Impact
Unsanitized input in path, query, and header parameters during MCP to OpenAPI conversion can enable injection attacks, potentially compromising the integrity and confidentiality of API communications within agentic AI environments.
Affected Products
- Agentgateway versions prior to 0.12.0
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-29791 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-29791
Vulnerability Analysis
This vulnerability stems from CWE-20 (Improper Input Validation), a fundamental security weakness where input data is not adequately validated before being processed. In Agentgateway, when MCP tools/call requests are converted to OpenAPI requests, the conversion process fails to sanitize critical request components including path parameters, query strings, and header values.
The lack of sanitization creates an attack surface where malicious actors with low-level privileges can craft specially constructed MCP tool calls containing injection payloads. These payloads pass through the conversion layer unsanitized and are subsequently included in the generated OpenAPI requests. The changed scope characteristic indicates that the vulnerability's impact can extend beyond the vulnerable component itself, potentially affecting downstream systems that consume the generated OpenAPI requests.
The network-based attack vector combined with the requirement for authentication (low privileges) means that while the vulnerability is remotely exploitable, attackers need some level of access to the system to exploit it.
Root Cause
The root cause lies in the MCP to OpenAPI conversion logic within Agentgateway. The conversion function processes incoming MCP tools/call request data and maps it to corresponding OpenAPI request structures without implementing proper input sanitization routines. Specifically, the path, query, and header values are directly incorporated into the output without validation against injection patterns, special character filtering, or encoding normalization.
Attack Vector
An attacker with low-privilege access to the Agentgateway system can exploit this vulnerability by:
- Crafting a malicious MCP tools/call request containing injection payloads in path, query, or header parameters
- Submitting this request through the normal MCP interface
- The conversion process incorporates these unsanitized values into the generated OpenAPI request
- The malicious payload is then executed or processed by downstream systems consuming the OpenAPI request
The attack requires network access and low-level authentication but does not require user interaction. The complexity is considered high due to the specific conditions required for successful exploitation. Successful attacks can result in limited confidentiality and integrity impacts with a changed scope, meaning effects can propagate to connected systems.
Detection Methods for CVE-2026-29791
Indicators of Compromise
- Unusual or malformed characters in MCP tool/call request logs, particularly in path, query, or header fields
- Unexpected API behavior or errors in downstream systems receiving converted OpenAPI requests
- Log entries showing injection patterns such as special characters, encoded sequences, or unexpected formatting in request parameters
Detection Strategies
- Implement input validation monitoring at the MCP request ingestion point to identify potentially malicious payloads
- Deploy web application firewall (WAF) rules to detect common injection patterns in API traffic
- Review Agentgateway logs for anomalous request patterns or conversion errors that may indicate exploitation attempts
Monitoring Recommendations
- Enable verbose logging for MCP to OpenAPI conversion operations to capture full request details
- Set up alerts for requests containing known injection character sequences or encoding anomalies
- Monitor downstream API systems for unexpected behavior that may result from injected payloads
How to Mitigate CVE-2026-29791
Immediate Actions Required
- Upgrade Agentgateway to version 0.12.0 or later immediately
- If immediate upgrade is not possible, implement additional input validation at the network perimeter
- Review recent logs for signs of exploitation attempts before patching
Patch Information
The vulnerability has been addressed in Agentgateway version 0.12.0. Organizations should upgrade to this version or later to remediate the vulnerability. The fix implements proper sanitization of path, query, and header values during the MCP to OpenAPI conversion process. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy or API gateway in front of Agentgateway to perform input validation and sanitization before requests reach the vulnerable component
- Implement network segmentation to limit which systems can send MCP requests to Agentgateway
- Apply strict access controls to minimize the number of users with the low-level privileges required to exploit this vulnerability
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
