AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-6662: A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src

highvulnerability

security

Source: NVD/CVE DatabaseApril 20, 2026CVE-2026-6662

Summary

A vulnerability (CVE-2026-6662) was found in ericc-ch copilot-api versions up to 0.7.0 in the CORS function (a security feature that controls which websites can access an API from a web browser) of the token endpoint. The flaw allows a permissive cross-domain policy with untrusted domains, meaning attackers from other websites could potentially access the API remotely, and the exploit has been publicly disclosed.

Vulnerability Details

CVSS Score

7.3(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

none

Disclosure Date

April 20, 2026

Classification

Attack Type

Other

Attack SophisticationTrivial

Impact (CIA+S)

confidentialityintegrity

Taxonomy References

CWE (Weakness Type)

CWE-346 CWE-942

Affected Vendors

LangChain

Related Issues

medium

CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e

Same vendorNVD/CVE Database

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendor

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-6662

First tracked: April 20, 2026 at 02:08 PM

Classified by LLM (prompt v3) · confidence: 70%