Skip to main content

CowAgent EUVDEUVD-2026-42809

| CVE-2026-15332 LOW
Missing Authorization (CWE-862)
2026-07-10 cna@vuldb.com GHSA-w2xj-h2fq-hcfv
2.1
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Network-accessible endpoint requiring low-privilege auth; no scope change; all impacts limited to Low given constrained authorization bypass.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 06:07 vuln.today

DescriptionCVE.org

A security flaw has been discovered in zhayujie CowAgent up to 2.1.0. The impacted element is an unknown function of the file channel/channel.py of the component Message Endpoint. The manipulation results in missing authorization. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Missing authorization in zhayujie CowAgent up to version 2.1.0 allows remote attackers with low-privilege accounts to bypass access controls at the Message Endpoint defined in channel/channel.py, potentially enabling unauthorized access to or manipulation of messaging data. The CVSS 4.0 vector confirms network-accessible exploitation requiring only low privileges, with low-level confidentiality, integrity, and availability impacts on the vulnerable system. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege CowAgent account
Exploit
Send crafted request to Message Endpoint
Execution
Bypass missing authorization check in channel.py
Impact
Access or modify unauthorized message data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid low-privilege account on the CowAgent instance (PR:L per the CVSS 4.0 vector); unauthenticated attackers cannot exploit this directly. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.1 reflects the bounded, low-severity impact (VC:L/VI:L/VA:L) with no subsequent system scope (SC:N/SI:N/SA:N), which is consistent with a limited authorization bypass in an auxiliary channel handler rather than a privilege escalation path to full system compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privilege user of a network-accessible CowAgent instance crafts a request to the Message Endpoint in channel/channel.py, omitting or manipulating authorization parameters that the handler fails to validate. Using the publicly available proof-of-concept code referenced by VulDB (https://vuldb.com/vuln/377275), the attacker can access or modify message data belonging to other users or beyond their permitted scope. …
Remediation No vendor-released patch has been identified at time of analysis; the project maintainer has not responded to the disclosure filed in GitHub issue https://github.com/zhayujie/CowAgent/issues/2874. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42809 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy