Skip to main content

ChatGPTNextWeb NextChat CVE-2026-7643

| EUVDEUVD-2026-26797 LOW
Origin Validation Error (CWE-346)
2026-05-02 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 02, 2026 - 15:30 vuln.today
EUVD ID Assigned
May 02, 2026 - 15:22 euvd
EUVD-2026-26797
Analysis Generated
May 02, 2026 - 15:22 vuln.today
CVE Published
May 02, 2026 - 15:16 nvd
LOW 2.1

DescriptionCVE.org

A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Permissive cross-domain policy in ChatGPTNextWeb NextChat up to version 2.16.1 allows remote attackers with user interaction to manipulate the Next.js API endpoint and enable untrusted domains to access application resources, leading to information disclosure. Public exploit code exists for this vulnerability, though the vendor has not yet responded to early disclosure notification.

Technical ContextAI

The vulnerability exists in the Next.js API endpoint component of ChatGPTNextWeb NextChat, specifically involving improper handling of cross-origin resource sharing (CORS) policies as classified under CWE-346 (Origin Validation Error). The flaw permits attackers to manipulate domain policies to allow requests from untrusted domains, bypassing the browser's same-origin policy safeguards. This represents a failure to properly validate and restrict the origins from which the API will accept requests, a common misconfiguration in web applications built with Next.js that do not implement strict CORS headers or origin validation logic.

RemediationAI

Upgrade ChatGPTNextWeb NextChat to a version released after 2.16.1 once a patched release becomes available. Until an official patch is released, implement strict CORS policy configuration by explicitly defining allowed origins in the Next.js API configuration-restrict the Access-Control-Allow-Origin header to only trusted domains rather than using wildcard (*) or dynamic origin acceptance without validation. Additionally, review and restrict the Access-Control-Allow-Credentials header to prevent credential-bearing requests from untrusted origins. For immediate risk reduction without requiring application code changes, deploy a Web Application Firewall (WAF) rule to reject requests from unauthorized origins to API endpoints, though this requires monitoring logs to identify legitimate origins and may impact legitimate cross-domain integrations. Monitor the GitHub issue (https://github.com/ChatGPTNextWeb/NextChat/issues/6756) and project releases for availability of a patched version.

Share

CVE-2026-7643 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy