CVE-2026-14714: A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.1.0. This issue affects the function verify_serv
Summary
A security weakness was found in CowAgent version 2.1.0 where the verify_server function fails to properly authenticate requests when the wechatmp_token (a security credential) is missing or empty, allowing remote attackers to bypass authentication. This vulnerability has been publicly disclosed and is being actively exploited.
Solution / Mitigation
Upgrading to version 2.1.1 addresses this issue. The fix adds an explicit check to ensure wechatmp_token is not empty in the verify_server() function, causing the /wx endpoint (the entry point for requests) to reject requests with a 403 Forbidden error when the token is missing or has its default empty value, instead of falling back to a weaker signature verification method.
Vulnerability Details
6.5(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
network
low
none
none
July 5, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-14714
First tracked: July 5, 2026 at 08:07 AM
Classified by LLM (prompt v3) · confidence: 85%