{"data":{"id":"7c601254-52ef-466c-a844-eded76d04b90","title":"CVE-2026-7644: A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the fil","summary":"A vulnerability (CVE-2026-7644) was found in ChatGPTNextWeb NextChat version 2.16.1 and earlier, affecting the addMcpServer function in the app/mcp/actions.ts file. The flaw allows improper authorization (meaning the system fails to correctly verify who should have access to certain features), and it can be exploited remotely by anyone without needing special permissions. The vulnerability has been publicly disclosed, and the developers have been notified but have not yet responded.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-7644","publishedAt":"2026-05-02T15:16:14.373Z","cveId":"CVE-2026-7644","cweIds":["CWE-266","CWE-285"],"cvssScore":"7.3","cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["ChatGPTNextWeb","NextChat"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-05-02T15:16:14.373Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.72,"researchCategory":null,"atlasIds":null}}