Skip to main content

SmythOS sre CVE-2026-7021

| EUVDEUVD-2026-25696 LOW
Information Exposure (CWE-200)
2026-04-26 cna@vuldb.com
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.1 (MEDIUM) 2.0 (LOW)
Analysis Generated
Apr 26, 2026 - 06:30 vuln.today
EUVD ID Assigned
Apr 26, 2026 - 06:22 euvd
EUVD-2026-25696
Analysis Generated
Apr 26, 2026 - 06:22 vuln.today
CVE Published
Apr 26, 2026 - 06:16 nvd
LOW 2.0

DescriptionCVE.org

A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SmythOS sre versions up to 0.0.15 expose sensitive information through improper validation of the baseURL argument in the Connector Service's LLM utilities component. An authenticated remote attacker with user interaction can manipulate the baseURL parameter to disclose confidential data. Public exploit code exists, and the vendor has not responded to early disclosure notifications.

Technical ContextAI

The vulnerability resides in packages/sdk/src/LLM/utils.ts within SmythOS's Connector Service. The root cause is classified under CWE-200 (Information Exposure), indicating inadequate controls over the baseURL parameter used in HTTP communications with language model endpoints. The Connector Service likely constructs API requests using a user-supplied or influenced baseURL without proper validation or sanitization, allowing an attacker to redirect requests to attacker-controlled infrastructure or extract sensitive headers and request payloads intended for legitimate LLM services.

RemediationAI

Upgrade SmythOS sre to a version newer than 0.0.15; however, no patched version is explicitly confirmed in the available data due to vendor non-responsiveness. As an immediate compensating control, restrict access to the Connector Service to trusted network ranges and implement strict input validation on all baseURL parameters, ensuring they match a whitelist of approved LLM endpoints. Disable or restrict user ability to modify baseURL unless business-critical; if modification is necessary, implement approval workflows requiring administrator sign-off. Monitor HTTP requests from the Connector Service for unusual destination hosts or suspicious patterns. These controls reduce the attack surface while awaiting a vendor patch or alternative solution. Note that restricting user modification of baseURL may impact legitimate workflow flexibility.

Share

CVE-2026-7021 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy