CVE-2026-5631
Received Received - Intake
Remote Code Injection in assafelovic gpt-researcher ws Endpoint

Publication date: 2026-04-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in assafelovic gpt-researcher up to 3.4.3. This affects the function extract_command_data of the file backend/server/server_utils.py of the component ws Endpoint. Such manipulation of the argument args leads to code injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5631
EUVD
EUVD-2026-19186
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
assafelovic gpt_researcher to 3.4.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5631 is a critical unauthenticated Remote Code Execution (RCE) vulnerability in GPT Researcher versions 3.4.3 and earlier. It occurs in the WebSocket `/ws` endpoint due to improper handling of MCP (Model Context Protocol) server configurations sent by clients without validation or sanitization.

An attacker can send a specially crafted WebSocket message containing arbitrary commands, arguments, and environment variables. These are passed directly to the server's subprocess execution function (`anyio.open_process()`), allowing the attacker to execute arbitrary OS commands on the server with the same privileges as the GPT Researcher process.

This vulnerability arises from the function `extract_command_data()` in the server code, which extracts user-controlled MCP configurations without validation, leading to command injection.

Impact Analysis

This vulnerability allows an unauthenticated attacker to remotely execute arbitrary commands on the GPT Researcher server. The attacker can gain full control over the server process, which can lead to several severe impacts:

  • Execution of arbitrary OS commands with server privileges.
  • Reading and writing files on the server, potentially exposing sensitive data.
  • Installation of backdoors or malware for persistent access.
  • Lateral movement within the network to compromise other systems.
  • Data exfiltration and potential disruption of services.
Detection Guidance

This vulnerability can be detected by monitoring for suspicious WebSocket traffic to the `/ws` endpoint of the GPT Researcher server, especially messages containing the `mcp_configs` parameter with unusual or arbitrary commands.

Detection commands or methods could include capturing and inspecting WebSocket messages for the presence of `mcp_configs` JSON payloads with commands like `touch`, `id`, `whoami`, or other shell commands.

Network monitoring tools such as Wireshark or tcpdump can be used to capture WebSocket traffic, and custom scripts can parse the payloads for suspicious command patterns.

Additionally, checking for unexpected files like `/tmp/rce_proof_gpt_researcher` or `/tmp/rce_output` on the server filesystem may indicate exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include implementing strict allowlisting of MCP commands to block dangerous commands such as `bash`, `sh`, `curl`, `wget`, and `rm`.

Validate MCP command arguments to reject shell metacharacters like `|`, `&`, `;`, `` ` ``, `$`, `>`, and `<` to prevent command injection.

Require authentication on the WebSocket `/ws` endpoint to prevent anonymous remote access.

Disable the MCP feature by default and require explicit server-side configuration to enable it.

Sandbox MCP subprocesses using containerization or OS-level security mechanisms such as Docker, seccomp, or AppArmor.

Remove or restrict client control over environment variables passed to MCP processes.

Compliance Impact

This vulnerability allows unauthenticated remote code execution on the GPT Researcher server, enabling attackers to execute arbitrary commands, read/write files, install backdoors, move laterally, and exfiltrate data.

Such capabilities can lead to unauthorized access and disclosure of sensitive data, which may violate data protection regulations like GDPR and HIPAA that require strict controls on data confidentiality, integrity, and access.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to potential data breaches and failure to protect personal or health-related information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5631. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart