Severity by source
CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. Impacted is the function files of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component OpenAI-Compatible File Upload API. Such manipulation of the argument file.filename leads to time-of-check time-of-use. Access to the local network is required for this attack to succeed. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Time-of-check time-of-use (TOCTOU) vulnerability in Langchain-Chatchat up to 0.3.1.3 allows authenticated local network attackers to manipulate file.filename arguments in the OpenAI-Compatible File Upload API, leading to integrity compromise through race condition exploitation. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification despite proof-of-concept documentation.
Technical ContextAI
The vulnerability exists in the OpenAI-Compatible File Upload API endpoint (libs/chatchat-server/chatchat/server/api_server/openai_routes.py) and stems from a classic TOCTOU race condition (CWE-367). The file upload handler checks the validity of file.filename at one point in time but uses that filename later without re-validating it, creating a window where an attacker on the local network can modify the filename between the check and use phases. This allows an authenticated user to bypass filename restrictions or manipulate file storage paths. The vulnerability requires local network access (AV:A) and high attack complexity (AC:H), limiting exposure to attackers within network proximity.
RemediationAI
No vendor-released patch has been identified at time of analysis. The project maintainers have not responded to early disclosure despite issue notification. Immediate remediation options are limited: (1) Upgrade to a future patched version if released by chatchat-space (monitor GitHub releases and security advisories); (2) Implement network-level access controls restricting the OpenAI-Compatible File Upload API endpoint to trusted internal networks only, using firewall rules or API gateway authentication; (3) Disable the OpenAI-Compatible File Upload API feature entirely if not required for operations, reducing attack surface; (4) Implement file operation logging and integrity monitoring (checksums, audit trails) on uploaded files to detect race condition exploitation. Organizations should also consider submitting additional reports to the chatchat-space project or seeking community-maintained forks with security patches. None of these workarounds fully eliminate the TOCTOU race condition itself; they only reduce exposure or detectability.
More in Langchain Chatchat
View allMissing authentication in Langchain-Chatchat up to version 0.3.1.3 allows unauthenticated local network attackers to acc
Insufficiently random file ID generation in Langchain-Chatchat up to version 0.3.1.3 allows authenticated local network
Weak hash function in the Vision Chat Paste Image Handler of Langchain-Chatchat up to 0.3.1.3 allows local network attac
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27392
GHSA-x229-w2j4-h748