Vulnerabilities ›

CVE-2026-5633

High

CWE-918 — Weakness Type

                    Published: Apr 6, 2026                      ·  Modified: Apr 13, 2026                      ·  Source: NVD                

CVSS v3

7.3

🔗 NVD Official

📄 Description (English)

A vulnerability was determined in assafelovic gpt-researcher up to 3.4.3. Affected is an unknown function of the component ws Endpoint. Executing a manipulation of the argument source_urls can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

🤖 AI Executive Summary

CVE-2026-5633 is a server-side request forgery (SSRF) vulnerability in gpt-researcher versions up to 3.4.3 affecting the ws endpoint through manipulation of source_urls parameter. The vulnerability allows remote attackers to execute arbitrary requests from the affected server, potentially accessing internal resources or services.

📄 Description (Arabic)

ثغرة SSRF في مكون ws Endpoint بـ gpt-researcher تسمح للمهاجمين بمعالجة معامل source_urls للتحكم في الطلبات من جانب الخادم. يمكن للمهاجمين الوصول إلى الموارد الداخلية أو خدمات الشبكة المحلية أو تنفيذ هجمات على أنظمة أخرى.

🤖 ملخص تنفيذي (AI)

A server-side request forgery vulnerability exists in gpt-researcher up to version 3.4.3 in the ws endpoint component. Remote attackers can manipulate the source_urls parameter to force the server to make unauthorized requests to internal or external systems.

🤖 AI Intelligence Analysis Analyzed: May 7, 2026 05:17

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking telecom energy government healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1498 T1570

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Immediately upgrade gpt-researcher to version 3.4.4 or later when available. Implement input validation and sanitization for the source_urls parameter. Deploy network segmentation to restrict outbound connections from the application server. Monitor and log all outbound requests from the affected application. Consider implementing a Web Application Firewall (WAF) with SSRF detection rules.

🔧 خطوات المعالجة (العربية)

قم بترقية gpt-researcher إلى الإصدار 3.4.4 أو أحدث عند توفره فوراً. طبق التحقق من صحة المدخلات وتنظيفها لمعامل source_urls. استخدم تقسيم الشبكة لتقييد الاتصالات الصادرة من خادم التطبيق. راقب وسجل جميع الطلبات الصادرة من التطبيق المتأثر. فكر في تطبيق جدار حماية تطبيقات الويب مع قواعد كشف SSRF.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1 5.2 6.1

🔵 SAMA CSF

CC-6.1 CC-6.2 CC-7.2

🟡 ISO 27001:2022

A.14.2.1 A.14.2.5 A.13.1.3

🔗 References & Sources 5

🔗

https://github.com/assafelovic/gpt-researcher/

cna@vuldb.com

🔗

https://github.com/assafelovic/gpt-researcher/issues/1696

cna@vuldb.com

🔗

https://vuldb.com/submit/785876

cna@vuldb.com

🔗

https://vuldb.com/vuln/355421

cna@vuldb.com

🔗

https://vuldb.com/vuln/355421/cti

cna@vuldb.com

📊 CVSS Score

7.3

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity High

CVSS Score7.3

CWECWE-918

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-04-06

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-918

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-5633

💬 Comments

Introduce Yourself

Sign In Required