CVE-2026-0764 - Vulnerability Details

- GPT Academic upload Deserialization of Untrusted Data Remote Code Execution Vulnerability

Description

GPT Academic upload Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the upload endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27957.

Published: 2026-01-23

Score: 9.8 Critical

EPSS: 2.0% Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a deserialization flaw in GPT Academic’s upload endpoint that permits an unauthenticated attacker to supply malicious data, which the server processes without validation. This flaw enables arbitrary code execution that can be performed with root privileges, granting full control over the affected host.

Affected Systems

The flaw affects GPT Academic version 3.91. No other vendors or products are listed in the CNA data, and the CPE confirms the product in question.

Risk and Exploitability

The CVSS base score of 9.8 indicates a critical severity level, while the EPSS score of 2% suggests a moderate probability of exploitation at this time. The vulnerability is not currently in the CISA KEV catalog, yet the lack of authentication requirements and the root‑level execution potential make it an urgent risk. An attacker would most likely exploit this weakness by sending a crafted payload to the upload endpoint through an unauthenticated HTTP request, triggering insecure deserialization and achieving code execution on the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GPT Academic

unknown

Version	Status	Constraints
`3.91`	affected	—

Configuration 1 [-]

cpe:2.3:a:binary-husky:gpt_academic:3.91:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Gpt Academic Project	Gpt Academic	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor’s patch or upgrade to a GPT Academic release that fixes the deserialization flaw.
Restrict the upload endpoint to require authentication or limit its accessibility to trusted IP addresses.
Deploy an application or web‑application firewall with rules to detect and block malformed deserialization payloads.
Implement server‑side input validation or whitelist acceptable data formats for the upload endpoint.

Generated by OpenCVE AI on April 18, 2026 at 03:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.02026.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://www.zerodayinitiative.com/advisories/ZDI-26-030/

History

Wed, 18 Feb 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Binary-husky Binary-husky gpt Academic
CPEs		cpe:2.3:a:binary-husky:gpt_academic:3.91:::::::*
Vendors & Products		Binary-husky Binary-husky gpt Academic

Fri, 23 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gpt Academic Project Gpt Academic Project gpt Academic
Vendors & Products		Gpt Academic Project Gpt Academic Project gpt Academic

Fri, 23 Jan 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		GPT Academic upload Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the upload endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27957.
Title		GPT Academic upload Deserialization of Untrusted Data Remote Code Execution Vulnerability
Weaknesses		CWE-502
References		https://www.zerodayinitiative.com/advisories/ZDI-26-030/
Metrics		cvssV3_0 `{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Binary-husky Gpt Academic

Gpt Academic Project Gpt Academic

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2026-01-23T03:28:27.852Z

Updated: 2026-01-23T19:20:21.446Z

Reserved: 2026-01-08T22:49:59.365Z

Link: CVE-2026-0764

Vulnrichment

Updated: 2026-01-23T19:20:17.798Z

NVD

Status : Analyzed

Published: 2026-01-23T04:16:03.250

Modified: 2026-02-18T16:42:46.297

Link: CVE-2026-0764

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T03:30:25Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object