AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-6874: A vulnerability was determined in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token

mediumvulnerability

security

Source: NVD/CVE DatabaseApril 22, 2026CVE-2026-6874

Summary

A vulnerability (CVE-2026-6874) was found in ericc-ch copilot-api version 0.7.0 and earlier that affects the /token file's Header Handler component. An attacker can manipulate the Host argument to exploit reliance on reverse DNS resolution (looking up a domain name from an IP address), potentially allowing remote access to systems where the attacker has login credentials.

Vulnerability Details

CVSS Score

4.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

low

User Interaction

none

Disclosure Date

April 22, 2026

Classification

Attack Type

Other

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-350

Affected Vendors

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

high

GHSA-w3hv-x4fp-6h6j: @grackle-ai/server has Missing WebSocket Origin Header Validation

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-6874

First tracked: April 23, 2026 at 02:09 AM

Classified by LLM (prompt v3) · confidence: 72%