Skip to main content

chatgpt-on-wechat CVE-2026-10214

| EUVD-2026-33535 MEDIUM
OS Command Injection (CWE-78)
2026-06-01 VulDB GHSA-qvrw-783g-pmvr
Command Injection Chatgpt On Wechat
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jun 01, 2026 - 03:22 NVD
HIGH MEDIUM
CVSS changed
Jun 01, 2026 - 03:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
Source Code Evidence Fetched
Jun 01, 2026 - 02:43 vuln.today
Analysis Generated
Jun 01, 2026 - 02:43 vuln.today

DescriptionCVE.org

A weakness has been identified in zhayujie chatgpt-on-wechat up to 2.0.8. This issue affects the function _get_safety_warning of the file agent/tools/bash/bash.py of the component Bash Tool. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.0.9 is capable of addressing this issue. This patch is called 16d9b449c9aa53ccee44144a762a2737d7ba4fc4. It is recommended to upgrade the affected component.

AnalysisAI

OS command injection in zhayujie chatgpt-on-wechat (also known as CowAgent) versions up to and including 2.0.8 allows remote attackers to execute arbitrary operating system commands by abusing the _get_safety_warning function within the Bash Tool component (agent/tools/bash/bash.py). Publicly available exploit code exists for this issue, increasing the likelihood of opportunistic abuse, though it is not currently listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed CowAgent web console
Delivery
Connect to unauthenticated chat endpoint
Exploit
Submit prompt invoking Bash Tool
Execution
Inject shell metacharacters bypassing _get_safety_warning
Persist
Execute arbitrary OS commands as agent user
Impact
Harvest secrets and pivot internally
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to a chatgpt-on-wechat / CowAgent instance running version 2.0.8 or earlier with the Bash Tool enabled in the agent's tool configuration, and a path to send agent input that reaches the vulnerable _get_safety_warning code in agent/tools/bash/bash.py - typically via the web console (web channel) or another configured channel that allows free-form prompts to the agent. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.3 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L describes a network-reachable, low-complexity, unauthenticated flaw with low impact on each CIA dimension, which is unusual for an OS command injection since command execution typically warrants High impact - the Low ratings likely reflect the limited privilege context of the agent process or the constrained command surface, but defenders should treat successful exploitation as effectively code execution within that context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-exposed chatgpt-on-wechat / CowAgent instance (default pre-2.0.9 builds bind the web console to 0.0.0.0 with no password required) and interacts with the agent in a way that invokes the Bash Tool, supplying input crafted to break out of the safety-check wrapper in _get_safety_warning and append attacker-controlled shell metacharacters. Using the publicly available proof-of-concept from the linked issue, the attacker achieves command execution under the agent process account and uses it to read configuration secrets, pivot to other internal services, or stage further tooling.
Remediation Vendor-released patch: upgrade to chatgpt-on-wechat / CowAgent version 2.0.9 or later, which incorporates commit 16d9b449c9aa53ccee44144a762a2737d7ba4fc4 fixing the Bash Tool input handling, available at https://github.com/zhayujie/CowAgent/releases/tag/2.0.9 with the diff at https://github.com/zhayujie/CowAgent/commit/16d9b449c9aa53ccee44144a762a2737d7ba4fc4. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all systems running chatgpt-on-wechat versions 2.0.8 and earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10214 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy