What is CVE-2026-7644?

A medium-severity vulnerability has been identified in ChatGPTNextWeb NextChat up to version 2.16.1. This vulnerability allows for improper authorization, enabling potential remote exploitation. Immediate action is advised for affected organizations.

What is the severity of CVE-2026-7644?

CVE-2026-7644 has a severity rating of MEDIUM with a CVSS base score of 5.5.

CVE-2026-7644 | Medium Vulnerability in ChatGPTNextWeb NextChat

A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

This vulnerability has a CVSS score of 5.5, categorizing it as medium severity. Organizations should be aware that the potential for exploitation exists, and they should take proactive measures to address this issue.

Risk to organizations includes unauthorized access to sensitive functions, which can lead to further exploitation if not addressed promptly. Organizations should prioritize patching immediately.

As of now, there are no known exploits or proof of concepts publicly available, but the situation may change as the vulnerability has been disclosed.

Organizations using affected versions of ChatGPTNextWeb NextChat should assess their exposure to this vulnerability and implement necessary security measures.

Vulnerability Details

The vulnerability allows for improper authorization within the application, specifically in the function addMcpServer located in app/mcp/actions.ts. It has been classified under CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization).

The CVSS v3.1 base score is 7.3 with a severity of high, indicating a significant risk factor. The attack vector is network-based with low complexity and does not require any privileges or user interaction.

Published on May 2, 2026, this vulnerability demands immediate attention from organizations utilizing the affected software.

Technical Analysis

The root cause of this vulnerability is improper authorization implemented in the application, which can be exploited by attackers to gain unauthorized access to functionalities intended for privileged users.

The attack vector is through the network, making it easily exploitable by remote attackers. The complexity of the exploit is low, meaning that little technical knowledge is needed to carry out the attack.

No privileges are required for exploitation, and no user interaction is necessary, increasing the risk associated with this vulnerability.

The confidentiality, integrity, and availability impacts are categorized as low, but the potential for exploitation remains significant.

Risk & Impact Analysis

Real-world deployment risk includes the potential for unauthorized access to sensitive application functions, which may lead to data exposure or manipulation.

This vulnerability poses a significant threat to organizations that rely on ChatGPTNextWeb NextChat, especially those handling sensitive data or critical operations.

The urgency for remediation is underscored by its medium severity classification, suggesting that organizations should address this vulnerability as a priority in their patch cycle.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions prior to vendor patch.

Mitigation & Remediation

Organizations should prioritize patching immediately to address this vulnerability. Ensure that all systems are updated to the latest version of ChatGPTNextWeb NextChat to mitigate risk.

Continuous penetration testing should be conducted to validate the effectiveness of the patch.

Detection Guidance

Monitor logs for any unauthorized access attempts and behavioral anomalies indicating exploitation attempts.

AppSecure Threat Intelligence Insight

The vulnerability exemplifies the importance of proper authorization controls in applications. Security teams should review their authorization mechanisms to prevent similar vulnerabilities.

Penetration testing methodology can provide insights into potential weaknesses in an organization's security posture.

A robust vulnerability management program is essential for timely identification and remediation of security issues.

Security testing best practices should be integrated into the development lifecycle to mitigate similar vulnerabilities in the future.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-7644: Medium Vulnerability in ChatGPTNextWeb NextChat