Cyber Resilience

CVE-2026-7644

Medium

Published: 02 May 2026

Published
02 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 18.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7644 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-7644 is an improper authorization vulnerability (CWE-266, CWE-285) in ChatGPTNextWeb's NextChat application, affecting versions up to 2.16.1. The flaw is located in the addMcpServer function within the file app/mcp/actions.ts, where manipulation enables unauthorized actions.

Remote attackers require no privileges (PR:N) and can exploit the issue over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), as reflected in its CVSS v3.1 base score of 7.3 (S:U/C:L/I:L/A:L). Successful exploitation grants low impacts on confidentiality, integrity, and availability.

Advisories from VulDB note that the project was informed early via GitHub issue #6757 but has not responded, with no patches or mitigations detailed. The exploit has been publicly disclosed and may be actively used, per the CVE description.

ChatGPTNextWeb NextChat is an open-source interface related to ChatGPT deployments, highlighting relevance to AI/ML web applications in practitioner environments.

EU & UK References

Vulnerability details

A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the…

more

public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper authorization vulnerability in public-facing NextChat web app enables remote unauthorized actions with no privileges or interaction required, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1226Shared CWE-266, CWE-285
CVE-2026-1597Shared CWE-266, CWE-285
CVE-2025-8756Shared CWE-266, CWE-285
CVE-2026-2105Shared CWE-266, CWE-285
CVE-2025-1815Shared CWE-266, CWE-285
CVE-2025-0484Shared CWE-266, CWE-285
CVE-2026-3724Shared CWE-266, CWE-285
CVE-2026-5642Shared CWE-266, CWE-285
CVE-2026-6977Shared CWE-266, CWE-285
CVE-2026-2896Shared CWE-266, CWE-285

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly countering the improper authorization flaw in the addMcpServer function.

prevent

Requires identification, reporting, and correction of the specific vulnerability in app/mcp/actions.ts, eliminating the improper authorization issue.

prevent

Applies least privilege to restrict unauthorized actions even if initial authorization checks fail in the vulnerable function.

References