Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Compatible File Service. The manipulation results in missing authentication. The attacker must have access to the local network to execute the attack. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Missing authentication in Langchain-Chatchat up to version 0.3.1.3 allows unauthenticated local network attackers to access and manipulate files through the Compatible File Service endpoints (files/list_files, retrieve_file, retrieve_file_content, delete_file) in openai_routes.py without credentials. The vulnerability has a publicly available proof-of-concept exploit and affects confidentiality, integrity, and availability of stored files, though impact is limited to low severity per CVSS scoring; however, the lack of authentication on file operations represents a significant security control failure.
Technical ContextAI
Langchain-Chatchat is a RAG (Retrieval-Augmented Generation) framework built on LLM chains that includes an OpenAI-compatible API server. The vulnerable component is the Compatible File Service in openai_routes.py, which exposes file management endpoints (list_files, retrieve_file, retrieve_file_content, delete_file) without implementing authentication middleware or access control validation. The root cause (CWE-306: Missing Authentication for Critical Function) indicates that the application fails to verify user identity before processing file operations that should be restricted. This suggests either absent authentication decorators/middleware on these route handlers or incomplete implementation of credential validation mechanisms that should guard these API endpoints.
RemediationAI
Immediate remediation requires implementing authentication validation on all file service endpoints (files/list_files, retrieve_file, retrieve_file_content, delete_file) in openai_routes.py. Apply authentication middleware or decorators to verify user credentials (API keys, OAuth tokens, or session identifiers) before processing any file operations. Upgrade to a patched version once released by the chatchat-space project; monitor the GitHub repository (https://github.com/chatchat-space/Langchain-Chatchat) and official advisory channels for patch availability. Until a vendor patch is available, implement compensating controls: (1) restrict network access to the Langchain-Chatchat API server to trusted internal networks only using firewall rules or network segmentation (e.g., VLANs), blocking external and untrusted internal access; (2) disable file service endpoints entirely if not required for your use case by removing or commenting out the route handlers; (3) implement a reverse proxy (nginx, Apache) in front of the service with authentication enforcement before requests reach the application, though this adds operational complexity. Each mitigation has trade-offs: network restriction reduces flexibility but is most effective if deployment supports it; disabling features removes functionality; proxy-based auth adds latency and architectural complexity. None of these are permanent solutions - vendor patch deployment must be prioritized.
More in Langchain Chatchat
View allInsufficiently random file ID generation in Langchain-Chatchat up to version 0.3.1.3 allows authenticated local network
Time-of-check time-of-use (TOCTOU) vulnerability in Langchain-Chatchat up to 0.3.1.3 allows authenticated local network
Weak hash function in the Vision Chat Paste Image Handler of Langchain-Chatchat up to 0.3.1.3 allows local network attac
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27388
GHSA-xvqj-p4jj-r7xh