AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-7643: A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of t

mediumvulnerability

security

Source: NVD/CVE DatabaseMay 2, 2026CVE-2026-7643

Summary

ChatGPTNextWeb NextChat versions up to 2.16.1 contain a flaw in its Next.js API endpoint that allows attackers to manipulate a function and create a permissive cross-domain policy with untrusted domains (meaning the system accepts requests from any website, not just trusted ones). The attack can be launched remotely, an exploit has been published, but the project developers have not yet responded to the early notification.

Vulnerability Details

CVSS Score

4.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

required

Disclosure Date

May 2, 2026

Classification

Attack Type

Other

Attack SophisticationTrivial

Impact (CIA+S)

integrity

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-346 CWE-942

Affected Vendors

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

high

GHSA-w3hv-x4fp-6h6j: @grackle-ai/server has Missing WebSocket Origin Header Validation

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-7643

First tracked: May 2, 2026 at 02:07 PM

Classified by LLM (prompt v3) · confidence: 75%