Cyber Resilience

CVE-2026-5631

Medium

Published: 06 April 2026

Published
06 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 20.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5631 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5631 is a code injection vulnerability in the open-source project assafelovic/gpt-researcher, affecting versions up to 3.4.3. The issue resides in the extract_command_data function within the file backend/server/server_utils.py, specifically in the ws Endpoint component. By manipulating the args argument, an attacker can inject arbitrary code remotely. The vulnerability is rated with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-94 (Improper Control of Generation of Code).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, enabling code injection that could lead to further compromise depending on the execution context.

References indicate the vulnerability was reported to the project via GitHub issue #1694, but the maintainers have not yet responded or released a patch. The exploit has been publicly disclosed and may be actively used, as noted in VulDB entries. No specific mitigations or workarounds are detailed in the available advisories.

Notably, gpt-researcher is an AI-powered research tool leveraging large language models, making this vulnerability relevant to AI/ML deployments where WebSocket endpoints may expose backend services. There is no confirmed evidence of widespread real-world exploitation at the time of publication on 2026-04-06.

EU & UK References

Vulnerability details

A vulnerability has been found in assafelovic gpt-researcher up to 3.4.3. This affects the function extract_command_data of the file backend/server/server_utils.py of the component ws Endpoint. Such manipulation of the argument args leads to code injection. The attack may be performed…

more

from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: gpt

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Remote code injection in public-facing ws endpoint enables T1190 exploitation for initial access and arbitrary Python code execution via T1059.006.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3409Shared CWE-74, CWE-94
CVE-2026-5584Shared CWE-74, CWE-94
CVE-2026-2008Shared CWE-74, CWE-94
CVE-2026-4998Shared CWE-74, CWE-94
CVE-2026-6110Shared CWE-74, CWE-94
CVE-2026-5970Shared CWE-74, CWE-94
CVE-2026-24780Shared CWE-94
CVE-2026-6603Shared CWE-74, CWE-94
CVE-2026-26216Shared CWE-94
CVE-2026-31225Shared CWE-94

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates code injection by requiring validation and sanitization of the manipulated 'args' argument in the ws Endpoint's extract_command_data function.

preventrecover

Ensures timely identification, testing, and installation of fixes for known flaws like this unpatched code injection vulnerability in gpt-researcher up to 3.4.3.

preventdetect

Provides boundary protection for the remote WebSocket endpoint to monitor and filter malicious network traffic attempting args manipulation for code injection.

References