Description
A weakness has been identified in OpenAkita up to 1.24.3. This impacts the function run of the file src/openakita/tools/shell.py of the component Chat API Endpoint. Executing a manipulation of the argument Message can lead to os command injection. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-11
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Command Execution
Action: Patch or Monitor
AI Analysis

Impact

The vulnerability is a local OS command injection in the Chat API Endpoint's shell.py. An attacker can manipulate the Message argument to execute arbitrary shell commands via the run function. This compromises the confidentiality and integrity of the local system, potentially allowing full takeover. The issue is classified as CWE-77 and CWE-78 and is rated 4.8 on the CVSS v3 scale, indicating moderate severity.

Affected Systems

Affected systems are installations of OpenAkita version 1.24.3 and earlier, all builds that include the src/openakita/tools/shell.py component remain vulnerable until a patch is applied. The vulnerable component is the Chat API Endpoint in the OpenAkita suite. No specific vendor patch has been released as of the last advisory; the vendor has not responded to the disclosure request.

Risk and Exploitability

The EPSS score of <1% and absence from the CISA KEV list suggest the likelihood of exploitation is low at present, but public exploits have been shared. The attack vector requires local access to the service, so protecting the application’s runtime privileges and tightening input validation are critical. Until an official fix is available, disabling the vulnerable endpoint or restricting local user access is recommended.

Generated by OpenCVE AI on March 17, 2026 at 16:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If available, upgrade OpenAkita to the latest release that addresses the shell command injection.
  • Disable or remove the Chat API Endpoint shell functionality orconfigure routing to avoid exposing the vulnerable endpoint.
  • Add input validation or sanitization to the Message parameter to prevent command injection or whitelist acceptable commands.
  • Run the service with the least privilege possible (non‑root or dedicated unprivileged user) to limit the impact of any injected commands.
  • Monitor system logs for unexpected command execution and restrict local user permissions to mitigate potential exploitation.

Generated by OpenCVE AI on March 17, 2026 at 16:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openakita
Openakita openakita
Vendors & Products Openakita
Openakita openakita

Wed, 11 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in OpenAkita up to 1.24.3. This impacts the function run of the file src/openakita/tools/shell.py of the component Chat API Endpoint. Executing a manipulation of the argument Message can lead to os command injection. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title OpenAkita Chat API Endpoint shell.py run os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Openakita Openakita
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T13:29:32.389Z

Reserved: 2026-03-11T13:08:22.273Z

Link: CVE-2026-3964

cve-icon Vulnrichment

Updated: 2026-03-12T13:29:28.896Z

cve-icon NVD

Status : Deferred

Published: 2026-03-11T23:16:01.237

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:39Z

Weaknesses