{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6126", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-11T20:22:46.584Z", "datePublished": "2026-04-12T10:30:12.107Z", "dateUpdated": "2026-04-13T12:24:50.364Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-12T10:30:12.107Z"}, "title": "zhayujie chatgpt-on-wechat CowAgent Administrative HTTP Endpoint missing authentication", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-306", "lang": "en", "description": "Missing Authentication"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "Improper Authentication"}]}], "affected": [{"vendor": "zhayujie", "product": "chatgpt-on-wechat CowAgent", "versions": [{"version": "2.0.4", "status": "affected"}], "modules": ["Administrative HTTP Endpoint"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.0.4. The affected element is an unknown function of the component Administrative HTTP Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR"}}], "timeline": [{"time": "2026-04-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-11T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-11T22:27:51.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Yu_Bao (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/356990", "name": "VDB-356990 | zhayujie chatgpt-on-wechat CowAgent Administrative HTTP Endpoint missing authentication", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/356990/cti", "name": "VDB-356990 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/793554", "name": "Submit #793554 | zhayujie chatgpt-on-wechat (CowAgent) 2.0.4 Unauthenticated Administrative API Access", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/795335", "name": "Submit #795335 | zhayujie chatgpt-on-wechat (CowAgent) 2.0.4 Unauthenticated Channel Credential Injection (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zhayujie/chatgpt-on-wechat/issues/2733", "tags": ["issue-tracking"]}, {"url": "https://github.com/zhayujie/chatgpt-on-wechat/issues/2733#issue-4177804035", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T12:24:03.628184Z", "id": "CVE-2026-6126", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:24:50.364Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6126", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T12:24:03.628184Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:24:15.743Z"}}], "cna": {"title": "zhayujie chatgpt-on-wechat CowAgent Administrative HTTP Endpoint missing authentication", "credits": [{"lang": "en", "type": "reporter", "value": "Yu_Bao (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR"}}], "affected": [{"vendor": "zhayujie", "modules": ["Administrative HTTP Endpoint"], "product": "chatgpt-on-wechat CowAgent", "versions": [{"status": "affected", "version": "2.0.4"}]}], "timeline": [{"lang": "en", "time": "2026-04-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-11T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-11T22:27:51.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356990", "name": "VDB-356990 | zhayujie chatgpt-on-wechat CowAgent Administrative HTTP Endpoint missing authentication", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/356990/cti", "name": "VDB-356990 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/793554", "name": "Submit #793554 | zhayujie chatgpt-on-wechat (CowAgent) 2.0.4 Unauthenticated Administrative API Access", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/795335", "name": "Submit #795335 | zhayujie chatgpt-on-wechat (CowAgent) 2.0.4 Unauthenticated Channel Credential Injection (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zhayujie/chatgpt-on-wechat/issues/2733", "tags": ["issue-tracking"]}, {"url": "https://github.com/zhayujie/chatgpt-on-wechat/issues/2733#issue-4177804035", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.0.4. The affected element is an unknown function of the component Administrative HTTP Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "Missing Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "Improper Authentication"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-12T10:30:12.107Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6126", "state": "PUBLISHED", "dateUpdated": "2026-04-13T12:24:50.364Z", "dateReserved": "2026-04-11T20:22:46.584Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-12T10:30:12.107Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.0.4. The affected element is an unknown function of the component Administrative HTTP Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-6126", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-12T11:16:16.407", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/zhayujie/chatgpt-on-wechat/issues/2733"}, {"source": "cna@vuldb.com", "url": "https://github.com/zhayujie/chatgpt-on-wechat/issues/2733#issue-4177804035"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/793554"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/795335"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356990"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356990/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "chatgpt-on-wechat CowAgent", "source": "cna", "vendor": "zhayujie"}, "product": "chatgpt-on-wechat_cowagent", "vendor": "zhayujie"}], "analysis": {"en": {"generated_at": "2026-04-12T11:20:35.233454+00:00", "value": {"mitigation_remediation": ["Update to the latest released version of zhayujie chatgpt\u2011on\u2011wechat CowAgent, if one exists.", "Disable the administrative HTTP endpoint or restrict its exposure to trusted networks only.", "Verify that authentication mechanisms are enforced on all administrative interfaces before granting access.", "Monitor administrative logs for suspicious activity and apply network segmentation to limit reach to the endpoint."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Admin Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the CowAgent component of zhayujie chatgpt\u2011on\u2011wechat, specifically the 2.0.4 release. No other product versions are currently known to be impacted by this flaw, and the issue is tied to an unknown administrative HTTP function within that version.", "description_and_impact": "A weakness has been identified in the administrative HTTP endpoint of zhayujie chatgpt\u2011on\u2011wechat CowAgent 2.0.4. The endpoint is exposed without requiring any authentication, allowing an attacker who can reach the endpoint over the network to invoke administrator functions. Because the specific function that is vulnerable is not disclosed, the exact consequences are unclear, but the lack of authentication alone permits unauthorized control over the application.", "risk_and_exploitability": "The CVSS base score of 6.9 indicates moderate severity. The exploit relies on remote access to the unprotected administrative endpoint, and a public exploit has been made available, implying that attackers can readily abuse the weakness if the endpoint is exposed. The EPSS score is not provided, and the flaw is not yet listed in the CISA KEV catalog, but the combination of high accessibility, lack of authentication, and confirmed exploitation code suggests that the risk to systems where the endpoint is reachable is significant. Until a vendor patch is released, administrators should treat the exposed endpoint as a high\u2011credit risk and take mitigation measures immediately."}}}}, "created": "2026-04-13T12:41:26.412354+00:00", "updated": "2026-04-13T12:56:05.557808+00:00", "vendors": ["zhayujie", "zhayujie$PRODUCT$chatgpt-on-wechat_cowagent"]}