CVE-2026-4810 is already fixed?

[ftnext]

https://nvd.nist.gov/vuln/detail/CVE-2026-4810

A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit (ADK) versions 1.7.0 (and 2.0.0a1) through 1.28.1 (and 2.0.0a2) on Python (OSS), Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance.

Which version contains the fix, and which commit introduced it?

[adk-bot]

Response from ADK Answering Agent (experimental, answer may be inaccurate)

TLDR: While I cannot confirm the specifics of CVE-2026-4810, several security fixes have been included in recent versions of ADK Python. Notably, versions 1.30.0 and 1.24.0 contain fixes for credential leakage and path traversal vulnerabilities. A security advisory regarding a LiteLLM supply chain compromise was also issued in March 2026.

---

Hello @ftnext,

Thank you for your question regarding CVE-2026-4810.

While I cannot access external links like the NVD page you provided to get details on the specific vulnerability, I can point you to recent security-related changes in ADK Python based on the project's CHANGELOG.

Recent versions of ADK Python have included several security fixes:

• Version 1.30.0 (2026-04-13):

  • Fixed a credential leakage vulnerability in the Agent Registry.
  • Added validation for user_id and session_id to prevent path traversal.

• Version 1.24.0 (2026-02-04):

  • Made credential key generation stable to prevent cross-user credential leaks.

Additionally, in March 2026, a security advisory was issued concerning a supply chain compromise in LiteLLM, a dependency used in ADK Python's eval and extensions extras. Users were advised to upgrade to the latest version of ADK Python immediately.

It is highly recommended to upgrade to the latest version of ADK Python to ensure you have all the latest security patches. For more detailed information, please review the ADK Python CHANGELOG.

I hope this information is helpful.

---

References:
[1] CHANGELOG