CVE-2026-5631
Remote Code Injection in assafelovic gpt-researcher ws Endpoint
Publication date: 2026-04-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| assafelovic | gpt_researcher | to 3.4.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5631 is a critical unauthenticated Remote Code Execution (RCE) vulnerability in GPT Researcher versions 3.4.3 and earlier. It occurs in the WebSocket `/ws` endpoint due to improper handling of MCP (Model Context Protocol) server configurations sent by clients without validation or sanitization.
An attacker can send a specially crafted WebSocket message containing arbitrary commands, arguments, and environment variables. These are passed directly to the server's subprocess execution function (`anyio.open_process()`), allowing the attacker to execute arbitrary OS commands on the server with the same privileges as the GPT Researcher process.
This vulnerability arises from the function `extract_command_data()` in the server code, which extracts user-controlled MCP configurations without validation, leading to command injection.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to remotely execute arbitrary commands on the GPT Researcher server. The attacker can gain full control over the server process, which can lead to several severe impacts:
- Execution of arbitrary OS commands with server privileges.
- Reading and writing files on the server, potentially exposing sensitive data.
- Installation of backdoors or malware for persistent access.
- Lateral movement within the network to compromise other systems.
- Data exfiltration and potential disruption of services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious WebSocket traffic to the `/ws` endpoint of the GPT Researcher server, especially messages containing the `mcp_configs` parameter with unusual or arbitrary commands.
Detection commands or methods could include capturing and inspecting WebSocket messages for the presence of `mcp_configs` JSON payloads with commands like `touch`, `id`, `whoami`, or other shell commands.
Network monitoring tools such as Wireshark or tcpdump can be used to capture WebSocket traffic, and custom scripts can parse the payloads for suspicious command patterns.
Additionally, checking for unexpected files like `/tmp/rce_proof_gpt_researcher` or `/tmp/rce_output` on the server filesystem may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict allowlisting of MCP commands to block dangerous commands such as `bash`, `sh`, `curl`, `wget`, and `rm`.
Validate MCP command arguments to reject shell metacharacters like `|`, `&`, `;`, `` ` ``, `$`, `>`, and `<` to prevent command injection.
Require authentication on the WebSocket `/ws` endpoint to prevent anonymous remote access.
Disable the MCP feature by default and require explicit server-side configuration to enable it.
Sandbox MCP subprocesses using containerization or OS-level security mechanisms such as Docker, seccomp, or AppArmor.
Remove or restrict client control over environment variables passed to MCP processes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote code execution on the GPT Researcher server, enabling attackers to execute arbitrary commands, read/write files, install backdoors, move laterally, and exfiltrate data.
Such capabilities can lead to unauthorized access and disclosure of sensitive data, which may violate data protection regulations like GDPR and HIPAA that require strict controls on data confidentiality, integrity, and access.
Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to potential data breaches and failure to protect personal or health-related information.