Description
A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Compatible File Service. The manipulation results in missing authentication. The attacker must have access to the local network to execute the attack. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-05
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Langchain-Chatchat up to version 0.3.1.3 allows an attacker to delete or retrieve files through the Compatible File Service endpoints in openai_routes.py without any form of authentication. This missing authentication check enables an attacker to remove or access stored data, potentially resulting in data loss, exposure, or service disruption. The issue is specifically present in the files/list_files/retrieve_file/retrieve_file_content/delete_file functions.

Affected Systems

The affected product is Langchain-Chatchat from chatchat-space, versions 0.3.1.3 and earlier. Only installations that expose the openai_routes.py endpoints and are reachable from the local network are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity vulnerability, while the EPSS score is not provided, suggesting no recent exploitation data is available. The vulnerability is not listed in the CISA KEV catalog. The attack requires local network access and is publicly exploitable; therefore, any host on the same network could use the unprotected endpoints to delete or read files. Given the public availability of the exploit, the risk to affected installations is significant if no mitigation is applied.

Generated by OpenCVE AI on May 5, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest release of Langchain-Chatchat that includes a fix for the missing authentication in the file service endpoints.
  • If an update is not yet available, isolate the vulnerable instances by applying firewall or segmentation rules that block inbound traffic to the openai_routes.py endpoints from untrusted local hosts.
  • Implement or enable authentication checks on the affected API routes, or remove the file service endpoints from the production environment to prevent unauthorized access.

Generated by OpenCVE AI on May 5, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Chatchat-space
Chatchat-space langchain-chatchat
Vendors & Products Chatchat-space
Chatchat-space langchain-chatchat

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Compatible File Service. The manipulation results in missing authentication. The attacker must have access to the local network to execute the attack. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title chatchat-space Langchain-Chatchat Compatible File Service openai_routes.py delete_file missing authentication
Weaknesses CWE-287
CWE-306
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:A/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Chatchat-space Langchain-chatchat
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-05T15:00:13.227Z

Reserved: 2026-05-05T10:20:48.141Z

Link: CVE-2026-7844

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-05T16:16:19.217

Modified: 2026-05-05T19:06:58.737

Link: CVE-2026-7844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T19:00:11Z

Weaknesses