Skip to content
Tools / adk-python / Security

Security Deep Dive

adk-python

Security posture and CVE patch evidence from tracked releases.

Back to Tool

15 critical dependency CVEs affects v1.34.2.

Audit transitive dependencies; consider upgrading or pinning replacements.

Versions by Severity

CVEs are attributed to tracked releases published before the patch release.

20 versions tracked
Version Published C H M L KEV Notes
v1.34.2 2026-06-01
Latest
v2.1.0 2026-05-23
v2.0.0 2026-05-19
v1.34.0 2026-05-18
v1.33.0 2026-05-08
Patches CVE-2026-42208
v1.32.0 2026-05-01 1 KEV 1
v1.31.1 2026-04-21 1 KEV 1
v1.31.0 2026-04-17 1 KEV 1
v1.30.0 2026-04-13 1 KEV 1
v1.29.0 2026-04-09 1 KEV 1
v1.28.1 2026-04-02 1 KEV 1
v1.28.0 2026-03-26 1 KEV 1
v1.27.5 2026-03-26 1 KEV 1
v1.27.4 2026-03-24 1 KEV 1
v1.27.3 2026-03-23 1 KEV 1
v1.27.2 2026-03-17 1 KEV 1
v1.27.1 2026-03-13 1 KEV 1
v1.27.0 2026-03-12 1 KEV 1
v1.26.0 2026-02-26 1 KEV 1
v1.25.1 2026-02-18 1 KEV 1
— Signed — SLSA — SBOM ✗ Security policy Weekly cadence · 6d median Active maintainer

Trust Signals — 2 of 9 Present

Evidence already collected from releases and repository metadata.

2/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 23d ago
Release cadence: weekly Present
6d median over recent releases Release history
Latest release: 2d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 2d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 2d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 2d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 2d ago
0.8/10 Security Score
Dependency Exposure 106 transitive dependency CVEs found in the latest SBOM. 15 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

Max EPSS 0.543

freshness

1.00 / 1.0

1d stale

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

⚠ No direct scan — 15c/48h transitive CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

-1.50 / 1.5

KEV exposure detected

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: estimated

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 15c/48h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 1d

Operational risk

operational risk

1.5

10%

kev exposure: detected epss max: 0.543
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
15 Transitive critical CVEs
0 KEV-transitive CVEs
58% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

CVE Patch History

Tracks CVEs that were addressed in tagged releases. Shorter gap between disclosure and patch = faster response. EPSS = predicted probability of exploitation in next 30 days (FIRST.org); colored at ≥90%ile and ≥50%ile.

CVEs Patched by Year

Critical High Medium Low
2026
1
CVE Severity EPSS Disclosed Fixed in Days to fix vs Ecosystem Median KEV
CVE-2026-42208 CRITICAL 98%ile v1.33.0 KEV

KEV = CISA Known Exploited Vulnerabilities catalog — actively exploited in the wild.

Dependency Vulnerabilities

113 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

15

High

48

Medium

38

Low

1

Unknown

4

Still affecting latest (1) All (106)
Critical 15 High 48 Medium 38 Low 1 Unknown 4
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2012-0805 critical sqlalchemy v1.33.0
CVE-2017-18342 critical pyyaml v1.33.0
CVE-2019-20477 critical pyyaml v1.33.0
CVE-2019-7164 critical sqlalchemy v1.33.0
CVE-2019-7548 critical sqlalchemy v1.33.0
CVE-2020-14343 critical pyyaml v1.33.0
CVE-2020-1747 critical pyyaml v1.33.0
CVE-2021-41945 critical httpx v1.33.0
CVE-2023-47248 critical pyarrow v1.33.0
CVE-2024-2952 critical litellm v1.33.0
CVE-2024-5751 critical litellm v1.33.0
CVE-2026-27962 critical authlib v1.33.0
CVE-2026-35030 critical litellm v1.33.0
CVE-2026-42208 critical litellm v1.34.0
GHSA-5mg7-485q-xm76 critical litellm v1.33.0
CVE-2014-1402 high jinja2 v1.33.0
CVE-2016-10745 high jinja2 v1.33.0
CVE-2018-1000518 high websockets v1.33.0
CVE-2018-18074 high requests v1.33.0
CVE-2019-10906 high jinja2 v1.33.0
CVE-2019-12408 high pyarrow v1.33.0
CVE-2019-12410 high pyarrow v1.33.0
CVE-2020-7694 high uvicorn v1.33.0
CVE-2020-7695 high uvicorn v1.33.0
CVE-2021-32677 high fastapi v1.33.0
CVE-2021-33880 high websockets v1.33.0
CVE-2023-30798 high starlette v1.33.0
CVE-2024-10188 high litellm v1.33.0
CVE-2024-24762 high fastapi v1.33.0
CVE-2024-24762 high python-multipart v1.33.0
CVE-2024-37568 high authlib v1.33.0
CVE-2024-4264 high litellm v1.33.0
CVE-2024-47874 high starlette v1.33.0
CVE-2024-4888 high litellm v1.33.0
CVE-2024-53981 high python-multipart v1.33.0
CVE-2024-5998 high langchain-community v1.33.0
CVE-2024-6587 high litellm v1.33.0
CVE-2024-6825 high litellm v1.33.0
CVE-2024-8984 high litellm v1.33.0
CVE-2024-9606 high litellm v1.33.0
CVE-2025-0330 high litellm v1.33.0
CVE-2025-0628 high litellm v1.33.0
CVE-2025-2828 high langchain-community v1.33.0
CVE-2025-53365 high mcp v1.33.0
CVE-2025-53366 high mcp v1.33.0
CVE-2025-59420 high authlib v1.33.0
CVE-2025-61920 high authlib v1.33.0
CVE-2025-62727 high starlette v1.33.0
CVE-2025-66416 high mcp v1.33.0
CVE-2025-6984 high langchain-community v1.33.0
CVE-2026-24486 high python-multipart v1.33.0
CVE-2026-2472 high google-cloud-aiplatform v1.33.0
CVE-2026-2473 high google-cloud-aiplatform v1.33.0
CVE-2026-28490 high authlib v1.33.0
CVE-2026-28498 high authlib v1.33.0
CVE-2026-28802 high authlib v1.33.0
CVE-2026-32597 high pyjwt 2.10.1 v1.33.0
CVE-2026-35029 high litellm v1.33.0
CVE-2026-41066 high lxml v1.33.0
CVE-2026-42203 high litellm v1.33.0
CVE-2026-42271 high litellm v1.33.0
CVE-2026-42561 high python-multipart v1.33.0
GHSA-69x8-hrgq-fjj8 high litellm v1.33.0
CVE-2014-0012 medium jinja2 v1.33.0
CVE-2014-1829 medium requests v1.33.0
CVE-2014-1830 medium requests v1.33.0
CVE-2014-3146 medium lxml v1.33.0
CVE-2015-2296 medium requests v1.33.0
CVE-2018-19787 medium lxml v1.33.0
CVE-2020-27783 medium lxml v1.33.0
CVE-2020-28493 medium jinja2 v1.33.0
CVE-2021-28957 medium lxml v1.33.0
CVE-2021-29510 medium pydantic v1.33.0
CVE-2021-43818 medium lxml v1.33.0
CVE-2022-2309 medium lxml v1.33.0
CVE-2023-29159 medium starlette v1.33.0
CVE-2023-32681 medium requests v1.33.0
CVE-2024-22195 medium jinja2 v1.33.0
CVE-2024-2965 medium langchain-community v1.33.0
CVE-2024-3095 medium langchain-community v1.33.0
CVE-2024-34064 medium jinja2 v1.33.0
CVE-2024-35195 medium requests v1.33.0
CVE-2024-3772 medium pydantic v1.33.0
CVE-2024-47081 medium requests v1.33.0
CVE-2024-4890 medium litellm v1.33.0
CVE-2024-5225 medium litellm v1.33.0
CVE-2024-56201 medium jinja2 v1.33.0
CVE-2024-56326 medium jinja2 v1.33.0
CVE-2024-5710 medium litellm v1.33.0
CVE-2025-27516 medium jinja2 v1.33.0
CVE-2025-54121 medium starlette v1.33.0
CVE-2025-62706 medium authlib v1.33.0
CVE-2025-68158 medium authlib v1.33.0
CVE-2025-71176 medium pytest v1.33.0
CVE-2026-25645 medium requests 2.32.4 v1.33.0
CVE-2026-28277 medium langgraph v1.33.0
CVE-2026-28684 medium python-dotenv 1.1.1 v1.33.0
CVE-2026-34450 medium anthropic v1.33.0
CVE-2026-34452 medium anthropic v1.33.0
CVE-2026-40347 medium python-multipart v1.33.0
CVE-2026-41425 medium authlib v1.33.0
CVE-2024-8309 low langchain-community v1.33.0
CVE-2020-13091 unknown pandas v1.33.0
CVE-2024-52338 unknown pyarrow v1.33.0
MAL-2026-2144 unknown litellm v1.33.0
PYSEC-2026-2 unknown litellm v1.33.0

Showing 106 of 106

Beta — feedback welcome: [email protected]