AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-7644: A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the fil

highvulnerability

security

Source: NVD/CVE DatabaseMay 2, 2026CVE-2026-7644

Summary

A vulnerability (CVE-2026-7644) was found in ChatGPTNextWeb NextChat version 2.16.1 and earlier, affecting the addMcpServer function in the app/mcp/actions.ts file. The flaw allows improper authorization (meaning the system fails to correctly verify who should have access to certain features), and it can be exploited remotely by anyone without needing special permissions. The vulnerability has been publicly disclosed, and the developers have been notified but have not yet responded.

Vulnerability Details

CVSS Score

7.3(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

none

Disclosure Date

May 2, 2026

Classification

Attack Type

Other

Attack SophisticationModerate

Impact (CIA+S)

integrityconfidentiality

Taxonomy References

CWE (Weakness Type)

CWE-266 CWE-285

Affected Vendors

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

high

GHSA-w3hv-x4fp-6h6j: @grackle-ai/server has Missing WebSocket Origin Header Validation

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-7644

First tracked: May 2, 2026 at 02:07 PM

Classified by LLM (prompt v3) · confidence: 72%