Which versions of Chatgpt On Wechat Cowagent are affected by EUVD-2026-21730?

CVE-2026-6126 is a critical authentication bypass in zhayujie chatgpt-on-wechat CowAgent 2.0.4 that exposes administrative functions to unauthenticated remote attackers, enabling unauthorized control…

Is there a public PoC exploit available for EUVD-2026-21730?

Yes, a public proof-of-concept exploit is available for EUVD-2026-21730. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2026-21730?

Within 24 hours: Identify all systems running CowAgent 2.0.4 and immediately isolate affected instances from production networks or disable public HTTP access to administrative endpoints. Within 7 days: Implement network-level authentication controls (reverse proxy, WAF rules requiring API keys) or migrate to an alternative chatbot framework; contact zhayujie maintainers directly to assess patch timeline. Within 30 days: Complete migration away from CowAgent 2.0.4 or deploy the latest patched version once vendor releases a fix; conduct audit of administrative API logs for unauthorized access.

Chatgpt On Wechat Cowagent EUVD-2026-21730

Q: What is the CVSS score of EUVD-2026-21730?

EUVD-2026-21730 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2026-6126 MEDIUM

Missing Authentication for Critical Function (CWE-306)

2026-04-12 VulDB

GHSA-8hj3-w5vf-j956

Authentication Bypass Chatgpt On Wechat Cowagent

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Severity Changed

Apr 12, 2026 - 11:22 NVD

HIGH MEDIUM

CVSS changed

Apr 12, 2026 - 11:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

Analysis Generated

Apr 12, 2026 - 10:51 vuln.today

EUVD ID Assigned

Apr 12, 2026 - 10:45 euvd

EUVD-2026-21730

Analysis Generated

Apr 12, 2026 - 10:45 vuln.today

CVE Published

Apr 12, 2026 - 10:30 nvd

MEDIUM 5.5

DescriptionCVE.org

A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.0.4. The affected element is an unknown function of the component Administrative HTTP Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Missing authentication in zhayujie chatgpt-on-wechat CowAgent 2.0.4 administrative HTTP endpoint allows remote attackers to bypass access controls and perform unauthorized administrative operations without credentials. Publicly available exploit code exists. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify exposed CowAgent instance

Delivery

Send unauthenticated HTTP request to admin endpoint

Exploit

Execute administrative commands

Execution

Modify configuration or exfiltrate data

Impact

Maintain persistence through backdoor accounts