Skip to main content

Langchain Chatchat

4 CVEs product

Monthly

CVE-2026-7847 PyPI LOW POC Monitor

Insufficiently random file ID generation in Langchain-Chatchat up to version 0.3.1.3 allows authenticated local network attackers to predict uploaded file identifiers via the _get_file_id function, enabling information disclosure. The vulnerability requires local network access and authenticated privileges but carries low exploitability due to high attack complexity. A public exploit is available, though the project has not responded to early disclosure notifications.

Information Disclosure Langchain Chatchat
NVD VulDB GitHub
CVSS 4.0
1.2
EPSS
0.0%
CVE-2026-7846 PyPI LOW POC Monitor

Time-of-check time-of-use (TOCTOU) vulnerability in Langchain-Chatchat up to 0.3.1.3 allows authenticated local network attackers to manipulate file.filename arguments in the OpenAI-Compatible File Upload API, leading to integrity compromise through race condition exploitation. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification despite proof-of-concept documentation.

File Upload Langchain Chatchat
NVD VulDB GitHub
CVSS 4.0
1.2
EPSS
0.0%
CVE-2026-7845 PyPI LOW POC Monitor

Weak hash function in the Vision Chat Paste Image Handler of Langchain-Chatchat up to 0.3.1.3 allows local network attackers with low privileges to cause information disclosure via hash collision attacks on image data processed through PIL.Image.tobytes. The vulnerability requires high attack complexity and local network presence, resulting in minimal direct impact (CVSS 1.2); however, publicly available exploit code exists and the vendor has not responded to disclosure.

Information Disclosure Langchain Chatchat
NVD VulDB GitHub
CVSS 4.0
1.2
EPSS
0.0%
CVE-2026-7844 LOW POC Monitor

Missing authentication in Langchain-Chatchat up to version 0.3.1.3 allows unauthenticated local network attackers to access and manipulate files through the Compatible File Service endpoints (files/list_files, retrieve_file, retrieve_file_content, delete_file) in openai_routes.py without credentials. The vulnerability has a publicly available proof-of-concept exploit and affects confidentiality, integrity, and availability of stored files, though impact is limited to low severity per CVSS scoring; however, the lack of authentication on file operations represents a significant security control failure.

Authentication Bypass Langchain Chatchat
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 1.2
LOW POC Monitor

Insufficiently random file ID generation in Langchain-Chatchat up to version 0.3.1.3 allows authenticated local network attackers to predict uploaded file identifiers via the _get_file_id function, enabling information disclosure. The vulnerability requires local network access and authenticated privileges but carries low exploitability due to high attack complexity. A public exploit is available, though the project has not responded to early disclosure notifications.

Information Disclosure Langchain Chatchat
NVD VulDB GitHub
EPSS 0% CVSS 1.2
LOW POC Monitor

Time-of-check time-of-use (TOCTOU) vulnerability in Langchain-Chatchat up to 0.3.1.3 allows authenticated local network attackers to manipulate file.filename arguments in the OpenAI-Compatible File Upload API, leading to integrity compromise through race condition exploitation. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification despite proof-of-concept documentation.

File Upload Langchain Chatchat
NVD VulDB GitHub
EPSS 0% CVSS 1.2
LOW POC Monitor

Weak hash function in the Vision Chat Paste Image Handler of Langchain-Chatchat up to 0.3.1.3 allows local network attackers with low privileges to cause information disclosure via hash collision attacks on image data processed through PIL.Image.tobytes. The vulnerability requires high attack complexity and local network presence, resulting in minimal direct impact (CVSS 1.2); however, publicly available exploit code exists and the vendor has not responded to disclosure.

Information Disclosure Langchain Chatchat
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Missing authentication in Langchain-Chatchat up to version 0.3.1.3 allows unauthenticated local network attackers to access and manipulate files through the Compatible File Service endpoints (files/list_files, retrieve_file, retrieve_file_content, delete_file) in openai_routes.py without credentials. The vulnerability has a publicly available proof-of-concept exploit and affects confidentiality, integrity, and availability of stored files, though impact is limited to low severity per CVSS scoring; however, the lack of authentication on file operations represents a significant security control failure.

Authentication Bypass Langchain Chatchat
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy