Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Improper authorization in ChatGPTNextWeb NextChat up to version 2.16.1 allows remote unauthenticated attackers to bypass access controls in the addMcpServer function (app/mcp/actions.ts), potentially disclosing sensitive information. The vulnerability has a CVSS score of 5.5 (moderate severity) with public exploit code available, though the vendor has not yet responded to the disclosed issue.
Technical ContextAI
The vulnerability exists in the Model Context Protocol (MCP) server integration functionality within NextChat's actions module. CWE-266 (Improper Privilege Assignment) indicates that the addMcpServer function fails to properly enforce authorization checks before processing requests to add new MCP servers. This allows the manipulation of server configuration without proper access control validation. The issue likely resides in the TypeScript/JavaScript layer handling MCP server instantiation, where insufficient verification of caller privileges permits unauthorized operations.
RemediationAI
Update to a patched version of NextChat greater than 2.16.1 once the vendor releases a fix. At time of analysis, the vendor has not released a patched version despite early notification through issue #6757. As an interim measure, restrict network access to the NextChat instance using firewall rules to block unauthorized callers, disable the MCP server integration feature if not in active use, or implement reverse-proxy authentication (e.g., via nginx or HAProxy) to enforce authentication before requests reach the addMcpServer endpoint. These compensating controls reduce exposure but do not eliminate the underlying authorization flaw. Monitor the GitHub repository and vendor security channels for an updated release.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26798