CVE-2026-5998
Path Traversal in ChatGPT-on-WeChat API Memory Endpoint
Publication date: 2026-04-10
Last updated on: 2026-04-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zhayujie | chatgpt-on-wechat | to 2.0.5 (exc) |
| zhayujie | chatgpt-on-wechat | 2.0.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5998 is a path traversal vulnerability in the chatgpt-on-wechat (CowAgent) Web Console, specifically affecting the API Memory Content Endpoint. The vulnerability exists because the filename parameter in the /api/memory/content endpoint is not properly validated or sanitized, allowing an attacker to manipulate the filename argument to access files outside the intended directory.
An unauthenticated attacker can exploit this by sending specially crafted requests with directory traversal sequences (like ../) to read arbitrary files on the server accessible by the application process.
This flaw allows reading sensitive system files such as /etc/passwd, application configuration files containing unmasked API keys, SSH private keys, logs with credentials, and environment files.
The vulnerability was fixed in version 2.0.5 by implementing strict path canonicalization and directory confinement, ensuring that resolved file paths remain within allowed directories and rejecting any traversal attempts.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized disclosure of sensitive information.
- Attackers can read sensitive system files such as /etc/passwd and /etc/hosts, which can aid in further attacks or reconnaissance.
- Exposure of application configuration files containing unmasked API keys for OpenAI, Claude, Azure, and other services, enabling unauthorized use or interception of language model services.
- Access to SSH private keys and application logs containing credentials, which can lead to full system compromise.
- Potential for chained exploitation with other vulnerabilities to fully compromise the system and intercept all language model communications.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the path traversal flaw in the `/api/memory/content` endpoint by sending specially crafted HTTP requests with the `filename` parameter containing directory traversal sequences such as `../`.
For example, sending a GET request to `/api/memory/content?filename=../../../../../../../etc/passwd` can reveal if the system is vulnerable by returning contents of sensitive files like `/etc/passwd`.
An automated Python script can be used to test multiple sensitive files and print partial contents to confirm the vulnerability.
- Use curl or similar HTTP clients to send requests like: `curl 'http://<target>/api/memory/content?filename=../../../../../../../etc/passwd'`
- Check for responses containing sensitive system files or unmasked API keys in the response body.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade the affected component to version 2.0.5 or later, which includes a security fix that prevents path traversal by validating and restricting file paths.
The fix involves enhancing the `_resolve_path` method to resolve absolute paths and ensure they remain within allowed directories, raising errors if traversal outside is detected.
Additional mitigation steps include implementing strict path canonicalization, sanitizing the `filename` parameter to reject `..` sequences, adding authentication to all Web Console endpoints, and restricting accessible files via an allowlist of permitted extensions.
- Upgrade to chatgpt-on-wechat version 2.0.5 using commands like `cow update` or `./run.sh update`.
- If Cow CLI is not installed, install it with `pip3 install -e .` in the project root.
- Apply patches or updates that implement path validation and error handling as described in the fix commit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote attackers to perform path traversal attacks to read arbitrary files on the server, including sensitive system files and application configuration files containing unmasked API keys.
This exposure of sensitive data, such as API keys and potentially personal or confidential information stored on the server, could lead to unauthorized access and data breaches.
Such breaches may violate data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive data, as well as protection against unauthorized disclosure.
Therefore, this vulnerability poses a risk to compliance with these regulations by potentially enabling unauthorized disclosure of protected information.