Description
A vulnerability was found in chatchat-space Langchain-Chatchat up to 0.3.1.3. The affected element is the function _get_file_id of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Uploaded File Handler. Performing a manipulation results in insufficiently random values. Access to the local network is required for this attack. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-05
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the _get_file_id function within openai_routes.py of the Uploaded File Handler. It generates identifiers using insufficiently random values, creating a weakness tied to improper cryptographic random number generation (CWE-310, CWE-330). As a result, an attacker who can reach the application over the local network could predict or enumerate file identifiers, potentially retrieving sensitive files that should be protected.

Affected Systems

The impacted product is chatchat-space:Langchain-Chatchat, with all releases up to and including version 0.3.1.3 affected. No other vendor or product versions are listed as impacted.

Risk and Exploitability

The overall CVSS score of 2.1 indicates low severity, but the exploit is publicly available and has been described as difficult to execute, requiring high complexity and local network access. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is local network compromised, where an attacker can attempt to guess file IDs to access uploaded content.

Generated by OpenCVE AI on May 5, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether your deployment of Langchain-Chatchat runs a version older than 0.3.1.3 and plan an upgrade to the latest release or apply any vendor-provided patch as soon as it becomes available.
  • Restrict access to the Langchain-Chatchat server by limiting local network connectivity to trusted users or subnets, reducing the attack surface for enumerating file IDs.
  • Modify or replace the _get_file_id implementation to use a cryptographically secure random number generator, ensuring that file identifiers are truly unpredictable.
  • Monitor server logs for repeated attempts to access missing or nonexistent file IDs, which may indicate an enumeration attack; investigate and block suspicious IP addresses when necessary.

Generated by OpenCVE AI on May 5, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Chatchat-space
Chatchat-space langchain-chatchat
Vendors & Products Chatchat-space
Chatchat-space langchain-chatchat

Tue, 05 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in chatchat-space Langchain-Chatchat up to 0.3.1.3. The affected element is the function _get_file_id of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Uploaded File Handler. Performing a manipulation results in insufficiently random values. Access to the local network is required for this attack. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Title chatchat-space Langchain-Chatchat Uploaded File openai_routes.py _get_file_id random values
Weaknesses CWE-310
CWE-330
References
Metrics cvssV2_0

{'score': 1.4, 'vector': 'AV:A/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.6, 'vector': 'CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.6, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Chatchat-space Langchain-chatchat
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-05T16:30:13.695Z

Reserved: 2026-05-05T10:21:00.280Z

Link: CVE-2026-7847

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-05T17:17:05.153

Modified: 2026-05-05T19:06:58.737

Link: CVE-2026-7847

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T20:00:13Z

Weaknesses