Intel

AIKIDO-2026-629125

agno is vulnerable to Exposure of Sensitive Information

Exposure of Sensitive Information Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

59

Medium Risk

This Affects:

PYTHONagno
1.1.10 - 2.6.20
Fixed in 2.6.21
Are you affected? Scan for Free

TL;DR

The CustomApiTools toolkit in agno.tools.api unconditionally attached the configured Authorization: Bearer <api_key> header to every request whenever an api_key was set. When base_url was left unset, the caller-supplied endpoint was used verbatim as the full request URL, so a model- or prompt-influenced endpoint could direct the request to an attacker-controlled host while still carrying the secret API key, exfiltrating the credential and enabling server-side request forgery. The fix stops attaching the configured API-key authorization header when base_url is unset, while still honoring explicit caller-provided Authorization headers passed to make_request.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and using CustomApiTools with a configured api_key and no base_url.

Background info

agno is vulnerable to Exposure of Sensitive Information in versions 1.1.10 - 2.6.20.

How to fix this

Upgrade the agno library to the patch version.