Vulnerabilities ›

CVE-2026-7644

High

CWE-266 — Weakness Type

                    Published: May 2, 2026                      ·  Modified: May 9, 2026                      ·  Source: NVD                

CVSS v3

7.3

🔗 NVD Official

📄 Description (English)

A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

🤖 AI Executive Summary

CVE-2026-7644 is a high-severity improper authorization vulnerability in ChatGPTNextWeb NextChat versions up to 2.16.1 affecting the MCP server addition function. The vulnerability allows remote exploitation without authentication bypass, potentially enabling unauthorized users to add malicious MCP servers to the application. With no patch currently available and public exploit disclosure, this poses an immediate risk to organizations using affected versions.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 6, 2026 20:01

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using ChatGPTNextWeb NextChat for AI-powered customer service, internal knowledge management, or research purposes face significant risk. Most vulnerable sectors include: Banking and Financial Services (SAMA-regulated entities using AI chatbots for customer interaction), Government agencies (NCA oversight, digital transformation initiatives), Healthcare providers (patient information systems), and Telecommunications (STC, Mobily customer support systems). The improper authorization flaw could allow threat actors to inject malicious MCP servers, leading to data exfiltration, prompt injection attacks, or lateral movement within enterprise networks. Organizations in critical infrastructure sectors are particularly at risk due to potential supply chain compromise.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Services Energy and Utilities Telecommunications Education and Research E-commerce and Retail

🎯 MITRE ATT&CK Techniques

T1078 - Valid Accounts (improper authorization allows unauthorized access) T1190 - Exploit Public-Facing Application (remote exploitation possible) T1199 - Trusted Relationship (MCP server injection for supply chain compromise) T1021 - Remote Services (lateral movement via compromised MCP servers) T1566 - Phishing (malicious MCP server injection for credential harvesting) T1557 - Man-in-the-Middle (MCP server interception) T1040 - Traffic Capture (data exfiltration via MCP channels)

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Inventory all instances of ChatGPTNextWeb NextChat running versions ≤2.16.1 across your organization

2. Restrict network access to affected instances using firewall rules and WAF policies

3. Implement strict input validation on MCP server addition endpoints

4. Enable comprehensive logging and monitoring of MCP server configuration changes

5. Review audit logs for unauthorized MCP server additions or suspicious configuration modifications



Compensating Controls (until patch available):

6. Implement network segmentation to isolate ChatGPT instances from sensitive systems

7. Deploy API gateway with authentication enforcement for MCP server endpoints

8. Use role-based access control (RBAC) to restrict MCP server management to authorized administrators only

9. Implement request signing and mutual TLS for MCP server communications

10. Monitor for suspicious MCP server connections and data flows



Detection Rules:

11. Alert on any POST/PUT requests to /app/mcp/actions.ts addMcpServer endpoint from non-whitelisted IPs

12. Monitor for MCP server configuration changes outside maintenance windows

13. Track failed authentication attempts to MCP management interfaces

14. Flag connections to unknown or suspicious MCP servers



Long-term:

15. Plan immediate upgrade to patched version once available (monitor GitHub releases)

16. Consider alternative AI solutions with stronger authorization controls if patch delays exceed 30 days

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. قم بحصر جميع نسخ ChatGPTNextWeb NextChat التي تعمل بالإصدارات ≤2.16.1 عبر مؤسستك

2. قيّد الوصول إلى الشبكة للنسخ المتأثرة باستخدام قواعد جدار الحماية وسياسات WAF

3. طبّق التحقق الصارم من صحة المدخلات على نقاط نهاية إضافة خادم MCP

4. فعّل السجلات الشاملة ومراقبة تغييرات تكوين خادم MCP

5. راجع سجلات التدقيق للتحقق من إضافات خادم MCP غير المصرح بها أو التعديلات المريبة

الضوابط البديلة (حتى توفر التصحيح):

6. طبّق تقسيم الشبكة لعزل نسخ ChatGPT عن الأنظمة الحساسة

7. نشّر بوابة API مع فرض المصادقة لنقاط نهاية خادم MCP

8. استخدم التحكم في الوصول القائم على الأدوار (RBAC) لتقييد إدارة خادم MCP للمسؤولين المصرح لهم فقط

9. طبّق توقيع الطلب و TLS المتبادل لاتصالات خادم MCP

10. راقب اتصالات خادم MCP المريبة وتدفقات البيانات

قواعد الكشف:

11. أصدر تنبيهات لأي طلبات POST/PUT إلى نقطة نهاية addMcpServer من عناوين IP غير مدرجة في القائمة البيضاء

12. راقب تغييرات تكوين خادم MCP خارج نوافذ الصيانة

13. تتبع محاولات المصادقة الفاشلة لواجهات إدارة MCP

14. علّم الاتصالات بخوادم MCP غير معروفة أو مريبة

المدى الطويل:

15. خطّط للترقية الفورية إلى الإصدار المصحح بمجرد توفره (راقب إصدارات GitHub)

16. فكّر في حلول ذكاء اصطناعي بديلة بضوابط تفويض أقوى إذا تجاوزت تأخيرات التصحيح 30 يوماً

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policy (improper authorization violates access control principles) ECC 2024 A.5.2.1 - User Registration and Access Rights Management ECC 2024 A.5.3.1 - Management of Privileged Access Rights ECC 2024 A.8.2.1 - User Access Management ECC 2024 A.9.2.1 - User Access Rights Review

🔵 SAMA CSF

SAMA CSF ID.AC-1 - Access Control Policy and Procedures SAMA CSF PR.AC-1 - Identities and Credentials are Managed SAMA CSF PR.AC-3 - Access Restrictions and Management of Physical and Logical Assets SAMA CSF DE.CM-1 - The Network is Monitored to Detect Potential Cybersecurity Events

🟡 ISO 27001:2022

ISO 27001:2022 A.5.2 - Information Security Policies ISO 27001:2022 A.8.2 - Privileged Access Rights ISO 27001:2022 A.8.3 - Information Access Restriction ISO 27001:2022 A.9.2 - User Access Management ISO 27001:2022 A.9.4 - Access Rights Review

🟣 PCI DSS v4.0.1

PCI DSS 2.1 - Establish Configuration Standards PCI DSS 7.1 - Limit Access to System Components PCI DSS 8.1 - Assign Unique ID to Each User PCI DSS 8.2 - Ensure User Identity is Verified Before Modifying Authentication Credentials

🔗 References & Sources 5

🔗

https://github.com/ChatGPTNextWeb/NextChat/

cna@vuldb.com

🔗

https://github.com/ChatGPTNextWeb/NextChat/issues/6757

cna@vuldb.com

🔗

https://vuldb.com/submit/806851

cna@vuldb.com

🔗

https://vuldb.com/vuln/360756

cna@vuldb.com

🔗

https://vuldb.com/vuln/360756/cti

cna@vuldb.com

📊 CVSS Score

7.3

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity High

CVSS Score7.3

CWECWE-266

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-05-02

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-266

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-7644

💬 Comments

Introduce Yourself

Sign In Required