Skip to main content

Chatgpt On Wechat Cowagent CVE-2026-6129

| EUVDEUVD-2026-21744 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-04-12 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 12, 2026 - 20:25 vuln.today
Severity Changed
Apr 12, 2026 - 20:22 NVD
HIGH MEDIUM
CVSS changed
Apr 12, 2026 - 20:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
EUVD ID Assigned
Apr 12, 2026 - 20:15 euvd
EUVD-2026-21744
Analysis Generated
Apr 12, 2026 - 20:15 vuln.today
CVE Published
Apr 12, 2026 - 19:45 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was detected in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects an unknown function of the component Agent Mode Service. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Authentication bypass in zhayujie chatgpt-on-wechat CowAgent up to version 2.0.4 allows remote unauthenticated attackers to manipulate the Agent Mode Service component, resulting in missing authentication checks (CWE-306). Publicly available exploit code exists, and the vulnerability has been reported to the project without response. CVSS 6.9 reflects moderate confidentiality, integrity, and availability impact with network-accessible attack vector and no user interaction required.

Technical ContextAI

The vulnerability resides in the Agent Mode Service component of chatgpt-on-wechat CowAgent, a WeChat integration tool for ChatGPT. The issue is classified as CWE-306 (Missing Authentication Check), indicating that the service fails to enforce proper authentication mechanisms when processing requests to sensitive functions. The affected product is identified by CPE cpe:2.3:a:zhayujie:chatgpt-on-wechat_cowagent:*:*:*:*:*:*:*:*, meaning all versions up to 2.0.4 are vulnerable. The attack vector is network-based with low complexity, no special access requirements, and no authentication needed (CVSS PR:N), suggesting the vulnerability can be exploited by sending specially crafted remote requests that bypass authentication validation logic in the Agent Mode Service.

RemediationAI

Upgrade zhayujie chatgpt-on-wechat CowAgent to a version released after 2.0.4 that includes authentication validation fixes. Monitor the official GitHub repository (https://github.com/zhayujie/chatgpt-on-wechat) for patched releases, as the vendor has not yet responded to the early notification. Until a patch is available, implement network-level access controls to restrict direct access to the Agent Mode Service component; firewall rules limiting API endpoint exposure to trusted internal networks or specific IP ranges can reduce attack surface. Additionally, review deployed instances to identify whether the Agent Mode Service is exposed to untrusted networks and consider disabling it if not actively required. Consult VulDB (https://vuldb.com/vuln/356992) for updates on vendor response and patch availability.

Share

CVE-2026-6129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy