Vulnerabilities ›

CVE-2026-7844

Medium

CWE-287 — Weakness Type

                    Published: May 5, 2026                      ·  Modified: May 8, 2026                      ·  Source: NVD                

CVSS v3

6.3

🔗 NVD Official

📄 Description (English)

A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Compatible File Service. The manipulation results in missing authentication. The attacker must have access to the local network to execute the attack. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

🤖 AI Executive Summary

CVE-2026-7844 is a missing authentication vulnerability in Langchain-Chatchat up to version 0.3.1.3 affecting file operations in the OpenAI routes component. An attacker with local network access can manipulate file operations without proper authentication.

📄 Description (Arabic)

يؤثر هذا الضعف على مكون خدمة الملفات المتوافق في Langchain-Chatchat حيث تفتقد وظائف إدارة الملفات (القائمة والاسترجاع والحذف) إلى آليات المصادقة الصحيحة. يمكن لأي مهاجم لديه وصول إلى الشبكة المحلية استغلال هذا الضعف للوصول إلى الملفات أو حذفها دون تفويض.

🤖 ملخص تنفيذي (AI)

This vulnerability allows unauthenticated access to file operations in Langchain-Chatchat versions up to 0.3.1.3, requiring only local network access. The affected functions include file listing, retrieval, and deletion without proper authentication checks.

🤖 AI Intelligence Analysis Analyzed: May 16, 2026 20:46

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking government healthcare

🎯 MITRE ATT&CK Techniques

T1078.001 T1021.001 T1552.001

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Upgrade Langchain-Chatchat to version 0.3.1.4 or later immediately. Implement network segmentation to restrict local network access to the API server. Add authentication middleware to all file operation endpoints. Review and audit access logs for unauthorized file operations.

🔧 خطوات المعالجة (العربية)

قم بترقية Langchain-Chatchat إلى الإصدار 0.3.1.4 أو أحدث فوراً. طبق تقسيم الشبكة لتقييد الوصول إلى خادم API. أضف طبقة مصادقة لجميع نقاط نهاية عمليات الملفات. راجع سجلات الوصول للعمليات غير المصرح بها.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 5.1.2 5.2.1

🔵 SAMA CSF

AC-2 AC-3 AC-4

🟡 ISO 27001:2022

A.9.1.1 A.9.2.1 A.9.4.1

🔗 References & Sources 6

🔗

https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-4-Missing-Auth-File-...

cna@vuldb.com

🔗

https://github.com/chatchat-space/Langchain-Chatchat/

cna@vuldb.com

🔗

https://github.com/chatchat-space/Langchain-Chatchat/issues/5465

cna@vuldb.com

🔗

https://vuldb.com/submit/807790

cna@vuldb.com

🔗

https://vuldb.com/vuln/361123

cna@vuldb.com

🔗

https://vuldb.com/vuln/361123/cti

cna@vuldb.com

📊 CVSS Score

6.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack VectorA — Adjacent

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score6.3

CWECWE-287

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-05-05

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-287

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-7844

Introduce Yourself

Sign In Required