CVE-2026-0762
HIGHCVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
GPT Academic stream_daas Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Interaction with a malicious DAAS server is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the stream_daas function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27956.
Analysis
Remote code execution in GPT Academic's stream_daas function results from improper deserialization of untrusted data when communicating with external servers, allowing unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability requires interaction with a malicious DAAS server and currently has no available patch. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all GPT Academic instances across the organization and isolate affected systems from production networks if possible. Within 7 days: Implement network segmentation to restrict access to GPT Academic instances, disable the vulnerable stream_daas deserialization feature if operationally feasible, and deploy WAF rules to block suspicious deserialization payloads. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today