Which versions of Gpt Researcher are affected by EUVD-2026-19188?

gpt-researcher versions 3.4.3 and earlier contain a missing authentication vulnerability in the HTTP REST API that allows any network attacker to access and manipulate data without credentials,…

Is there a public PoC exploit available for EUVD-2026-19188?

Yes, a public proof-of-concept exploit is available for EUVD-2026-19188. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2026-19188?

Within 24 hours: Identify all instances of gpt-researcher ≤3.4.3 in production and development environments using asset inventory tools; isolate affected systems to internal-only network access via firewall rules. Within 7 days: Implement network segmentation and API gateway authentication (reverse proxy with credential requirement) in front of affected instances; monitor API logs for unauthorized access patterns. Within 30 days: Upgrade to gpt-researcher version >3.4.3 if vendor releases patched version, or migrate to alternative tool with built-in authentication; validate remediation through penetration testing of API endpoints.

Gpt Researcher EUVD-2026-19188

Q: What is the CVSS score of EUVD-2026-19188?

EUVD-2026-19188 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2026-5632 MEDIUM

Missing Authentication for Critical Function (CWE-306)

2026-04-06 VulDB

Authentication Bypass Gpt Researcher

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

EUVD ID Assigned

Apr 06, 2026 - 07:00 euvd

EUVD-2026-19188

Analysis Generated

Apr 06, 2026 - 07:00 vuln.today

CVE Published

Apr 06, 2026 - 06:45 nvd

MEDIUM 6.9

DescriptionCVE.org

A vulnerability was found in assafelovic gpt-researcher up to 3.4.3. This impacts an unknown function of the component HTTP REST API Endpoint. Performing a manipulation results in missing authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Missing authentication in gpt-researcher HTTP REST API (versions ≤3.4.3) allows remote attackers to bypass access controls and interact with the API without credentials. Publicly available exploit code exists (GitHub issue #1695), enabling unauthorized information disclosure, data manipulation, and service disruption. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	Real-world risk is elevated due to converging threat signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An external attacker discovers an internet-facing gpt-researcher instance through Shodan or automated API reconnaissance scanning for common research tool endpoints. Referencing the public GitHub issue #1695, the attacker crafts HTTP POST requests to the unauthenticated API endpoints to initiate research tasks with malicious queries designed to extract sensitive corporate intelligence or inject disinformation into research outputs. …
Remediation	No vendor-released patch identified at time of analysis-the project maintainer has not responded to the vulnerability disclosure submitted via GitHub issue #1695 (https://github.com/assafelovic/gpt-researcher/issues/1695). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all instances of gpt-researcher ≤3.4.3 in production and development environments using asset inventory tools; isolate affected systems to internal-only network access via firewall rules. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-19188 vulnerability details – vuln.today

Back