Cyber Resilience

CVE-2026-4959

Medium

Published: 27 March 2026

Published
27 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0022 45.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4959 is a medium-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-4959 is a missing authentication vulnerability in OpenBMB XAgent version 1.0.0. It affects the check_user function within the file XAgentServer/application/websockets/share.py of the ShareServer WebSocket Endpoint. The flaw is triggered by manipulation of the interaction_id argument, leading to improper authentication checks.

Remote attackers require no privileges and can exploit this over the network with low attack complexity. Successful exploitation grants limited impacts to confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The issue maps to CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function).

VulDB advisories note that the vendor was contacted early for disclosure but provided no response, and no patches are referenced. An exploit is publicly available via a GitHub gist, enabling immediate remote exploitation attempts.

EU & UK References

Vulnerability details

A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interaction_id results in missing authentication. Remote exploitation of the attack is…

more

possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication on a public-facing WebSocket endpoint (ShareServer) allows unauthenticated remote network exploitation by manipulating interaction_id, directly matching T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7042Shared CWE-287, CWE-306
CVE-2025-58443Shared CWE-287, CWE-306
CVE-2025-11942Shared CWE-287, CWE-306
CVE-2026-6577Shared CWE-287, CWE-306
CVE-2026-6582Shared CWE-287, CWE-306
CVE-2026-6129Shared CWE-287, CWE-306
CVE-2026-5676Shared CWE-287, CWE-306
CVE-2026-4562Shared CWE-287, CWE-306
CVE-2026-7723Shared CWE-287, CWE-306
CVE-2026-5000Shared CWE-287, CWE-306

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly requiring authentication checks in the check_user function to block unauthorized WebSocket access via interaction_id manipulation.

prevent

Identifies and authorizes only specific actions without identification or authentication, preventing critical ShareServer WebSocket functions from operating without required checks.

prevent

Protects the authenticity of WebSocket communication sessions, mitigating unauthorized remote exploitation of the missing authentication vulnerability.

References