ByteOS Network

Vulnerability Details :

CVE-2026-7844

Assigner-VulDB

Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5

Published At-05 May, 2026 | 15:00

Updated At-06 May, 2026 | 14:16

chatchat-space Langchain-Chatchat Compatible File Service openai_routes.py delete_file missing authentication

A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Compatible File Service. The manipulation results in missing authentication. The attacker must have access to the local network to execute the attack. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:VulDB

Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5

Published At:05 May, 2026 | 15:00

Updated At:06 May, 2026 | 14:16

▼CVE Numbering Authority (CNA)

chatchat-space Langchain-Chatchat Compatible File Service openai_routes.py delete_file missing authentication

Affected Products

Vendor

chatchat-space

Product

Langchain-Chatchat

Modules

Compatible File Service

Versions

Affected

0.3.1.0
0.3.1.1
0.3.1.2
0.3.1.3

Problem Types

Type	CWE ID	Description
CWE	CWE-306	Missing Authentication
CWE	CWE-287	Improper Authentication

Type: CWE

CWE ID: CWE-306

Description: Missing Authentication

Type: CWE

CWE ID: CWE-287

Description: Improper Authentication

Metrics

Version	Base score	Base severity	Vector
4.0	5.3	MEDIUM	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
3.1	6.3	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
3.0	6.3	MEDIUM	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
2.0	5.8	N/A	AV:A/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Version: 4.0

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Version: 3.1

Base score: 6.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Version: 3.0

Base score: 6.3

Base severity: MEDIUM

Vector:

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Version: 2.0

Base score: 5.8

Base severity: N/A

Vector:

AV:A/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Credits

reporter

Dem00 (VulDB User)

coordinator

VulDB CNA Team

Timeline

Event	Date
Advisory disclosed	2026-05-05 00:00:00
VulDB entry created	2026-05-05 02:00:00
VulDB entry last update	2026-05-05 12:26:09

Event: Advisory disclosed

Date: 2026-05-05 00:00:00

Event: VulDB entry created

Date: 2026-05-05 02:00:00

Event: VulDB entry last update

Date: 2026-05-05 12:26:09

References

Hyperlink	Resource
https://vuldb.com/vuln/361123	vdb-entry technical-description
https://vuldb.com/vuln/361123/cti	signature permissions-required
https://vuldb.com/submit/807790	third-party-advisory
https://github.com/chatchat-space/Langchain-Chatchat/issues/5465	issue-tracking
https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-4-Missing-Auth-File-Endpoints.md	exploit
https://github.com/chatchat-space/Langchain-Chatchat/	product

Hyperlink: https://vuldb.com/vuln/361123

Resource:

vdb-entry

technical-description

Hyperlink: https://vuldb.com/vuln/361123/cti

Resource:

signature

permissions-required

Hyperlink: https://vuldb.com/submit/807790

Resource:

third-party-advisory

Hyperlink: https://github.com/chatchat-space/Langchain-Chatchat/issues/5465

Resource:

issue-tracking

Hyperlink: https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-4-Missing-Auth-File-Endpoints.md

Resource:

exploit

Hyperlink: https://github.com/chatchat-space/Langchain-Chatchat/

Resource:

product

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:cna@vuldb.com

Published At:05 May, 2026 | 16:16

Updated At:05 May, 2026 | 19:06

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	2.1	LOW	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary	3.1	6.3	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Secondary	2.0	5.8	MEDIUM	AV:A/AC:L/Au:N/C:P/I:P/A:P

Type: Secondary

Version: 4.0

Base score: 2.1

Base severity: LOW

Vector:

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Primary

Version: 3.1

Base score: 6.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Type: Secondary

Version: 2.0

Base score: 5.8

Base severity: MEDIUM

Vector:

AV:A/AC:L/Au:N/C:P/I:P/A:P

Weaknesses

CWE ID	Type	Source
CWE-287	Primary	cna@vuldb.com
CWE-306	Primary	cna@vuldb.com

CWE ID: CWE-287

Type: Primary

Source: cna@vuldb.com

CWE ID: CWE-306

Type: Primary

Source: cna@vuldb.com

References

Hyperlink	Source	Resource
https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-4-Missing-Auth-File-Endpoints.md	cna@vuldb.com	N/A
https://github.com/chatchat-space/Langchain-Chatchat/	cna@vuldb.com	N/A
https://github.com/chatchat-space/Langchain-Chatchat/issues/5465	cna@vuldb.com	N/A
https://vuldb.com/submit/807790	cna@vuldb.com	N/A
https://vuldb.com/vuln/361123	cna@vuldb.com	N/A
https://vuldb.com/vuln/361123/cti	cna@vuldb.com	N/A

Hyperlink: https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-4-Missing-Auth-File-Endpoints.md

Source: cna@vuldb.com

Resource: N/A

Hyperlink: https://github.com/chatchat-space/Langchain-Chatchat/

Source: cna@vuldb.com

Resource: N/A

Hyperlink: https://github.com/chatchat-space/Langchain-Chatchat/issues/5465

Source: cna@vuldb.com

Resource: N/A

Hyperlink: https://vuldb.com/submit/807790

Source: cna@vuldb.com

Resource: N/A

Hyperlink: https://vuldb.com/vuln/361123

Source: cna@vuldb.com

Resource: N/A

Hyperlink: https://vuldb.com/vuln/361123/cti

Source: cna@vuldb.com

Resource: N/A

Similar CVEs

53Records found

CVE-2015-10083

Matching Score-4

Assigner-VulDB

View Details

Matching Score-4

Assigner-VulDB

CVSS Score-6.3||MEDIUM

EPSS-0.60% / 69.64%

7 Day CHG~0.00%

Published-21 Feb, 2023 | 15:00

Updated-06 Aug, 2024 | 08:58

harrystech Dynosaur-Rails application_controller.rb basic_auth improper authentication

A vulnerability has been found in harrystech Dynosaur-Rails and classified as critical. Affected by this vulnerability is the function basic_auth of the file app/controllers/application_controller.rb. The manipulation leads to improper authentication. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named 04b223813f0e336aab50bff140d0f5889c31dbec. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-221503.

Vendor-harrys harrystech

Product-dynosaur-rails Dynosaur-Rails

CWE ID-CWE-287

Improper Authentication

CVE-2018-0676

Matching Score-4

Assigner-JPCERT/CC

View Details

Matching Score-4

Assigner-JPCERT/CC

CVSS Score-8.8||HIGH

EPSS-0.16% / 36.70%

7 Day CHG~0.00%

Published-09 Jan, 2019 | 22:00

Updated-05 Aug, 2024 | 03:35

BN-SDWBP3 firmware version 1.0.9 and earlier allows an attacker on the same network segment to bypass authentication to access to the management screen and execute an arbitrary command via unspecified vectors.

Vendor-panasonic Panasonic Corporation

Product-bn-sdwbp3_firmware bn-sdwbp3 BN-SDWBP3

CWE ID-CWE-287

Improper Authentication

CVE-2025-46590

Matching Score-4

Assigner-Huawei Technologies

View Details

Matching Score-4

Assigner-Huawei Technologies

CVSS Score-6.3||MEDIUM

EPSS-0.09% / 25.45%

7 Day CHG~0.00%

Published-06 May, 2025 | 07:18

Updated-09 May, 2025 | 19:26

Bypass vulnerability in the network search instruction authentication module Impact: Successful exploitation of this vulnerability can bypass authentication and enable access to some network search functions.

Vendor-Huawei Technologies Co., Ltd.

Product-harmonyos HarmonyOS

CWE ID-CWE-287

Improper Authentication

CVE-2026-7844

Credits

chatchat-space Langchain-Chatchat Compatible File Service openai_routes.py delete_file missing authentication

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs