CVE-2026-7846: A vulnerability has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. Impacted is the function files of the
Summary
A vulnerability (CVE-2026-7846) exists in Langchain-Chatchat versions up to 0.3.1.3 in the OpenAI-Compatible File Upload API. The flaw involves a time-of-check time-of-use bug (a race condition where a file is checked for safety, then modified before it's actually used), triggered by manipulating the file.filename argument, though it requires local network access and is difficult to exploit.
Vulnerability Details
2.6(low)
EPSS: 0.0%
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
adjacent
high
low
none
May 5, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-7846
First tracked: May 5, 2026 at 02:09 PM
Classified by LLM (prompt v3) · confidence: 75%