CVE-2026-6126

High

Published: 12 April 2026

Published

12 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0011 29.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6126 is a high-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly mandates that no administrative functions on the HTTP endpoint are permitted without identification or authentication, comprehensively addressing the missing authentication vulnerability.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Requires organizational users, such as administrators, to be identified and authenticated prior to accessing the vulnerable administrative HTTP endpoint.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations, ensuring logical access to the unauthenticated administrative function is restricted to authorized subjects only.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Missing authentication for a critical function in a network-accessible administrative HTTP endpoint directly enables remote exploitation of a public-facing application without credentials or interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.0.4. The affected element is an unknown function of the component Administrative HTTP Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been…

made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Deeper analysisAI

CVE-2026-6126 is a missing authentication vulnerability in an unknown function of the Administrative HTTP Endpoint component within CowAgent 2.0.4 of the zhayujie/chatgpt-on-wechat project. Published on 2026-04-12, the issue carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function).

The vulnerability enables remote attackers to initiate exploitation without privileges or user interaction and with low attack complexity. Successful attacks can result in low-level impacts to confidentiality, integrity, and availability.

Advisories reference GitHub issues #2733 and #2733#issue-4177804035, along with VulDB submissions at /submit/793554, /submit/795335, and /vuln/356990. The project was informed early via an issue report but has not responded, with no patches or official mitigations disclosed.

An exploit is publicly available and could be used for attacks, affecting a ChatGPT integration for WeChat that has relevance to AI/ML deployments in messaging environments.

Details

CWE(s): CWE-287 CWE-306

CVEs Like This One

CVE-2025-58443Shared CWE-287, CWE-306

CVE-2026-6577Shared CWE-287, CWE-306

CVE-2026-40344Shared CWE-287, CWE-306

CVE-2026-6582Shared CWE-287, CWE-306

CVE-2026-4562Shared CWE-287, CWE-306

CVE-2026-3053Shared CWE-287, CWE-306

CVE-2026-5000Shared CWE-287, CWE-306

CVE-2026-6129Shared CWE-287, CWE-306

CVE-2025-11942Shared CWE-287, CWE-306

CVE-2026-7042Shared CWE-287, CWE-306

References

https://github.com/zhayujie/chatgpt-on-wechat/issues/2733
cna@vuldb.com
https://github.com/zhayujie/chatgpt-on-wechat/issues/2733#issue-4177804035
cna@vuldb.com
https://vuldb.com/submit/793554
cna@vuldb.com
https://vuldb.com/submit/795335
cna@vuldb.com
https://vuldb.com/vuln/356990
cna@vuldb.com
https://vuldb.com/vuln/356990/cti
cna@vuldb.com