CVE-2026-7846

LOW 2.6

chatchat-space Langchain-Chatchat OpenAI-Compatible File Upload API openai_routes.py files toctou

CVSS Score

2.6

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. Impacted is the function files of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component OpenAI-Compatible File Upload API. Such manipulation of the argument file.filename leads to time-of-check time-of-use. Access to the local network is required for this attack to succeed. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE	CWE-367 CWE-362
Vendor	chatchat-space
Product	langchain-chatchat
Published	May 5, 2026
Last Updated	May 5, 2026

Stay Ahead of the Next One

Get instant alerts for chatchat-space langchain-chatchat

Be the first to know when new low vulnerabilities affecting chatchat-space langchain-chatchat are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

chatchat-space / Langchain-Chatchat

0.3.1.0 0.3.1.1 0.3.1.2 0.3.1.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/361125 vuldb.com: https://vuldb.com/vuln/361125/cti vuldb.com: https://vuldb.com/submit/807795 github.com: https://github.com/chatchat-space/Langchain-Chatchat/issues/5463 github.com: https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-2-Silent-File-Overwrite.md github.com: https://github.com/chatchat-space/Langchain-Chatchat/

Credits

🔍 Dem00 (VulDB User) VulDB CNA Team