agno

v2.6.8 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 15d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agents ai ai-agents developer-tools python

Affected surfaces

rce_ssrf breaking_upgrade

Summary

AI summary

Updates Bug Fixes, New Features, and fix across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Centralized path safety into agno.utils.path_safety with safe_join, hardening filesystem‑touching tools against traversal, symlink escape, control‑char injection, Windows MagicDot, and Unicode normalization attacks; introduced PathSecurityError (deprecating FileGenerationSecurityError). Centralized path safety into agno.utils.path_safety with safe_join, hardening filesystem‑touching tools against traversal, symlink escape, control‑char injection, Windows MagicDot, and Unicode normalization attacks; introduced PathSecurityError (deprecating FileGenerationSecurityError). Source: granite4.1:30b@2026-05-20-audit Confidence: high	—
Security	Medium	Centralized path safety into agno.utils.path_safety with safe_join, hardening against traversal and symlink attacks. Centralized path safety into agno.utils.path_safety with safe_join, hardening against traversal and symlink attacks. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Security	Medium	Hardened Anthropic server tool content block handling, switched to canonical redacted_thinking type. Hardened Anthropic server tool content block handling, switched to canonical redacted_thinking type. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Security	Low	Hardened Anthropic server tool handling: switched to canonical redacted_thinking literal, accepted both spellings on streaming start, added dedup guard, exposed coercion failures via log_warning, and coerced non‑block results to text. Hardened Anthropic server tool handling: switched to canonical redacted_thinking literal, accepted both spellings on streaming start, added dedup guard, exposed coercion failures via log_warning, and coerced non‑block results to text. Source: granite4.1:30b@2026-05-20-audit Confidence: high	—
Feature
Feature	Medium	Added first-party support for Google's Antigravity API with AntigravityAgent and AntigravityTools. Added first-party support for Google's Antigravity API with AntigravityAgent and AntigravityTools. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Added Gemini Managed Agents: Deep Research and Antigravity interactions support. Added Gemini Managed Agents: Deep Research and Antigravity interactions support. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Cookbook now includes 18 data labeling workflows for text, image, audio, video, document, and composed tasks. Cookbook now includes 18 data labeling workflows for text, image, audio, video, document, and composed tasks. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	Added deterministic Slack HITL incident-commander demo with structured pauses and clean termination. Added deterministic Slack HITL incident-commander demo with structured pauses and clean termination. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Low	Added generation_config passthrough field to GeminiInteractions and fixed history handling by sending only the new turn when previous_interaction_id is set, enabling server‑side statefulness. Added generation_config passthrough field to GeminiInteractions and fixed history handling by sending only the new turn when previous_interaction_id is set, enabling server‑side statefulness. Source: granite4.1:30b@2026-05-20-audit Confidence: high	—
Dependency
Dependency	Medium	Added missing n1n provider mapping in get_model() for correct model string resolution. Added missing n1n provider mapping in get_model() for correct model string resolution. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Dependency	Low	Updated chonkie dependency pin (follow‑up to #7869). Updated chonkie dependency pin (follow‑up to #7869). Source: granite4.1:30b@2026-05-20-audit Confidence: high	—
Dependency	Low	Added missing n1n provider mapping in get_model() so model strings like "n1n:..." resolve correctly. Added missing n1n provider mapping in get_model() so model strings like "n1n:..." resolve correctly. Source: granite4.1:30b@2026-05-20-audit Confidence: high	—
Performance	Medium	ParallelMCPBackend now sends User-Agent header to attribute traffic to agno. ParallelMCPBackend now sends User-Agent header to attribute traffic to agno. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Deprecation	Medium	Deprecated FileGenerationSecurityError alias, introduced PathSecurityError. Deprecated FileGenerationSecurityError alias, introduced PathSecurityError. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix
Bugfix	Medium	Fixed typo in AG-UI Teams causing silent drop of intermediate streaming events for ~7 months. Fixed typo in AG-UI Teams causing silent drop of intermediate streaming events for ~7 months. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Surfaced Google Drive API incompleteSearch flag in search_files() results. Surfaced Google Drive API incompleteSearch flag in search_files() results. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Added generation_config passthrough and fixed history handling for GeminiInteractions. Added generation_config passthrough and fixed history handling for GeminiInteractions. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Generic Gemini errors now include exception type for better context. Generic Gemini errors now include exception type for better context. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Added aiohttp>=3.7.3,<4 to slack extra dependencies for pip install agno[slack]. Added aiohttp>=3.7.3,<4 to slack extra dependencies for pip install agno[slack]. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Low	Generic Gemini errors now include the exception type when str(error) is empty or weak, preserving context across invoke/ainvoke APIs. Generic Gemini errors now include the exception type when str(error) is empty or weak, preserving context across invoke/ainvoke APIs. Source: granite4.1:30b@2026-05-20-audit Confidence: high	—
Refactor
Refactor	Medium	Preserved Anthropic server tool content blocks in message history across turns. Preserved Anthropic server tool content blocks in message history across turns. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Refactor	Low	Dropped unused available_models field from EvalsDomainConfig; AgentOSConfig.available_models is the sole source for Evals UI dropdown. Dropped unused available_models field from EvalsDomainConfig; AgentOSConfig.available_models is the sole source for Evals UI dropdown. Source: granite4.1:30b@2026-05-20-audit Confidence: high	—
Refactor	Low	Renamed gemini-3-flash-preview cookbook entries to gemini-3.5-flash across Gemini Interactions cookbooks. Renamed gemini-3-flash-preview cookbook entries to gemini-3.5-flash across Gemini Interactions cookbooks. Source: granite4.1:30b@2026-05-20-audit Confidence: high	—

Full changelog

Changelog

New Features:

Antigravity: Added first-party support for Google's Antigravity API in two shapes — AntigravityAgent (a BaseExternalAgent served through AgentOS with native sessions/streaming/UI) and AntigravityTools (a Toolkit that lets any Agno agent delegate a sub-task to a managed Antigravity sandbox).
Gemini Managed Agents: Added GeminiInteractions support for Google's managed agents — Deep Research (autonomous research with citations, background streaming with reconnect/last_event_id resume) and Antigravity (general-purpose agent in a managed Linux sandbox). New agent / agent_config / environment fields, per-agent forcing of background and store, and support for mcp_servers + file_search_store_names on the agent path.
Cookbook - Data Labeling: Added cookbook/data_labeling/ with 18 self-contained workflows covering text, image, audio, video, document, and composed (LLM-as-judge, quality review) labeling primitives.
Cookbook - Slack HITL: Added a deterministic Slack HITL incident-commander demo showing structured pauses via tool_choice="required", user_input echo, and clean termination via stop_after_tool_call=True.

Improvements:

Path Safety (Security): Centralized path-safety into a new agno.utils.path_safety module with safe_join and safe_join_subpath. Hardened FileGenerationTools, SlackTools, Toolkit._check_path, agno.skills.utils.is_safe_path, and FileTools.check_escape against path traversal, symlink escape, control-char injection, Windows MagicDot, and Unicode normalization attacks. Introduced PathSecurityError (FileGenerationSecurityError kept as deprecation alias). Bumped requires-python to >=3.9,<4.
Parallel MCP: ParallelMCPBackend now sends User-Agent: agno/<version> on every request so Parallel can attribute traffic to agno.
Evals Config: Dropped the unused available_models field from EvalsDomainConfig; the top-level AgentOSConfig.available_models is now the only supported source for the Evals UI dropdown.
Chonkie: Updated chonkie dependency pin (follow-up to #7869).
Cookbook: Renamed gemini-3-flash-preview to gemini-3.5-flash across the Gemini Interactions cookbooks.

Bug Fixes:

AG-UI Teams: Fixed a typo (stream_steps → stream_events) that caused teams running via AG-UI to silently drop all intermediate streaming events (lifecycle, reasoning, tool calls, member delegations) for ~7 months.
Slack Extra: Added aiohttp>=3.7.3,<4 to the slack optional extra — AsyncWebClient imports aiohttp at module load, so pip install agno[slack] was broken for all Slack operations.
Google Drive: Surfaced the Drive API incompleteSearch flag from GoogleDriveTools.search_files() so corpora="allDrives" callers can detect when Drive did not search every drive.
GeminiInteractions: Added a generation_config passthrough field for advanced controls (top_k, presence_penalty, etc.) and fixed history handling — when previous_interaction_id is set, only the new turn is sent rather than replaying the full history. Now actually leverages server-side statefulness.
Anthropic Server Tools: Preserved server_tool_use and code-execution content blocks in message history so multi-turn server-tool flows no longer break across turns.
Anthropic Hardening: Follow-up to the above — switched to the canonical redacted_thinking type literal (the SDK rejects redacted_reasoning_content), accepted both spellings on the streaming start event, added a dedup guard on round-tripped server tool blocks, made coercion failures visible via log_warning, and coerced non-block tool-result items to text.
Gemini Errors: Generic Gemini errors now include the exception type when str(error) is empty or weak, preserving error context across invoke / invoke_stream / ainvoke / ainvoke_stream.
N1N: Added the missing n1n provider mapping in get_model() so Agent(model="n1n:...") model-string paths now resolve correctly.

What's Changed

[chore] identify agno traffic to Parallel MCP via User-Agent by @NormallyGaussian in https://github.com/agno-agi/agno/pull/7857
[fix] Resolve N1N model strings by @pragnyanramtha in https://github.com/agno-agi/agno/pull/7948
chore: update chonkie deps by @chonk-lain in https://github.com/agno-agi/agno/pull/7904
fix: preserve Anthropic server tool content blocks in message history by @aayushbaluni in https://github.com/agno-agi/agno/pull/7766
fix(gemini): preserve generic error context by @MukundaKatta in https://github.com/agno-agi/agno/pull/7607
fix: harden Anthropic server tool content block handling by @ysolanky in https://github.com/agno-agi/agno/pull/7977
fix: GeminiInteractions generation_config passthrough and stateful input slicing by @ysolanky in https://github.com/agno-agi/agno/pull/7973
fix: centralize path safety and harden filesystem-touching tools by @Himanshu040604 in https://github.com/agno-agi/agno/pull/7707
cookbook: add deterministic Slack HITL incident commander demo by @Himanshu040604 in https://github.com/agno-agi/agno/pull/7831
[fix] Surface incomplete Google Drive searches by @basnijholt in https://github.com/agno-agi/agno/pull/7824
fix: add aiohttp to slack extra dependencies by @Mustafa-Esoofally in https://github.com/agno-agi/agno/pull/7939
fix: use stream_events instead of stream_steps for AG-UI teams by @Mustafa-Esoofally in https://github.com/agno-agi/agno/pull/7938
chore: drop unused available_models field from EvalsDomainConfig by @harshsinha03 in https://github.com/agno-agi/agno/pull/7993
cookbook: rename gemini-3-flash-preview to gemini-3.5-flash by @ysolanky in https://github.com/agno-agi/agno/pull/8005
cookbook: data labeling primitives (18 workflows) by @ashpreetbedi in https://github.com/agno-agi/agno/pull/7976
feat: add Gemini managed agents (Deep Research + Antigravity) to GeminiInteractions by @kausmeows in https://github.com/agno-agi/agno/pull/7975
feat: add antigravity tools and external agent by @ysolanky in https://github.com/agno-agi/agno/pull/8006
chore: release 2.6.8 by @ysolanky in https://github.com/agno-agi/agno/pull/8008

New Contributors

@NormallyGaussian made their first contribution in https://github.com/agno-agi/agno/pull/7857
@pragnyanramtha made their first contribution in https://github.com/agno-agi/agno/pull/7948
@chonk-lain made their first contribution in https://github.com/agno-agi/agno/pull/7904
@aayushbaluni made their first contribution in https://github.com/agno-agi/agno/pull/7766
@MukundaKatta made their first contribution in https://github.com/agno-agi/agno/pull/7607

Full Changelog: https://github.com/agno-agi/agno/compare/v2.6.7...v2.6.8

Breaking Changes

Removed `available_models` field from `EvalsDomainConfig`; only `AgentOSConfig.available_models` is now used for Evals UI dropdown.

Security Fixes

Centralized path safety into `agno.utils.path_safety` with `safe_join`/`safe_join_subpath`, hardening `FileGenerationTools`, `SlackTools`, `Toolkit._check_path`, `agno.skills.utils.is_safe_path`, and `FileTools.check_escape` against traversal, symlink escape, control‑char injection, Windows MagicDot, and Unicode normalization attacks; introduced `PathSecurityError` (deprecating `FileGenerationSecurityError`).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track agno

Get notified when new releases ship.

About agno

Build, run, manage agentic software at scale.

All releases →