Is there a public PoC exploit available for CVE-2026-6635?

Yes, a public proof-of-concept exploit is available for CVE-2026-6635. Prioritise patching immediately. EPSS: 0.1%.

CVE-2026-6635

Q: What is the CVSS score of CVE-2026-6635?

CVE-2026-6635 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-23840 MEDIUM

Improper Authentication (CWE-287)

2026-04-20 VulDB

GHSA-6c34-3mhj-jwxw

Authentication Bypass

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:12 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Severity Changed

Apr 20, 2026 - 12:22 NVD

HIGH MEDIUM

CVSS changed

Apr 20, 2026 - 12:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

Analysis Generated

Apr 20, 2026 - 12:15 vuln.today

EUVD ID Assigned

Apr 20, 2026 - 12:00 euvd

EUVD-2026-23840

Analysis Generated

Apr 20, 2026 - 12:00 vuln.today

CVE Published

Apr 20, 2026 - 11:45 nvd

MEDIUM 5.5

DescriptionNVD

A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function tool_call of the file apps/experimental/tools_webhook/app.py of the component tools_webhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Improper authentication in rowboatlabs rowboat (versions up to 0.1.67) allows remote unauthenticated attackers to bypass authentication by manipulating the X-Tools-JWE header in the tools_webhook component. The vulnerability enables unauthorized access with low confidentiality, integrity, and availability impact. …

RemediationAI

Within 24 hours: Identify all Rowboat instances running versions 0.1.67 or earlier and inventory their network exposure, particularly tools_webhook endpoints. Within 7 days: Apply immediate mitigation controls (see compensating_controls below) and establish network segmentation to restrict access to tools_webhook to trusted sources only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-6635 vulnerability details – vuln.today

Back

CVE-2026-6635

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

CVE-2026-6635

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code