CVE-2026-29791

Agentgateway: Missing parameter sanitization in MCP to OpenAPI conversion

Description

Agentgateway is an open source data plane for agentic AI connectivity within or across any agent framework or environment. Prior to version 0.12.0, when converting MCP tools/call request to OpenAPI request, input path, query, and header values are not sanitized. This issue has been patched in version 0.12.0.

INFO

Published Date :

2026-03-06T20:39:40.852Z

Last Modified :

2026-03-09T20:54:30.319Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-29791 vulnerability.

Vendors	Products
Agentgateway	Agentgateway
Lfprojects	Agentgateway

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-29791.

URL	Resource
https://github.com/agentgateway/agentgateway/security/advisories/GHSA-v2x6-wwfw-r2rq

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact