CVE-2026-5998
Received Received - Intake
Path Traversal in ChatGPT-on-WeChat API Memory Endpoint

Publication date: 2026-04-10

Last updated on: 2026-04-10

Assigner: VulDB

Description
A flaw has been found in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects the function dispatch of the file agent/memory/service.py of the component API Memory Content Endpoint. This manipulation of the argument filename causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 2.0.5 mitigates this issue. Patch name: 174ee0cafc9e8e9d97a23c305418251485b8aa89. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5998
EUVD
EUVD-2026-21277
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zhayujie chatgpt-on-wechat to 2.0.5 (exc)
zhayujie chatgpt-on-wechat 2.0.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5998 is a path traversal vulnerability in the chatgpt-on-wechat (CowAgent) Web Console, specifically affecting the API Memory Content Endpoint. The vulnerability exists because the filename parameter in the /api/memory/content endpoint is not properly validated or sanitized, allowing an attacker to manipulate the filename argument to access files outside the intended directory.

An unauthenticated attacker can exploit this by sending specially crafted requests with directory traversal sequences (like ../) to read arbitrary files on the server accessible by the application process.

This flaw allows reading sensitive system files such as /etc/passwd, application configuration files containing unmasked API keys, SSH private keys, logs with credentials, and environment files.

The vulnerability was fixed in version 2.0.5 by implementing strict path canonicalization and directory confinement, ensuring that resolved file paths remain within allowed directories and rejecting any traversal attempts.

Impact Analysis

This vulnerability can have serious impacts including unauthorized disclosure of sensitive information.

  • Attackers can read sensitive system files such as /etc/passwd and /etc/hosts, which can aid in further attacks or reconnaissance.
  • Exposure of application configuration files containing unmasked API keys for OpenAI, Claude, Azure, and other services, enabling unauthorized use or interception of language model services.
  • Access to SSH private keys and application logs containing credentials, which can lead to full system compromise.
  • Potential for chained exploitation with other vulnerabilities to fully compromise the system and intercept all language model communications.
Detection Guidance

This vulnerability can be detected by attempting to exploit the path traversal flaw in the `/api/memory/content` endpoint by sending specially crafted HTTP requests with the `filename` parameter containing directory traversal sequences such as `../`.

For example, sending a GET request to `/api/memory/content?filename=../../../../../../../etc/passwd` can reveal if the system is vulnerable by returning contents of sensitive files like `/etc/passwd`.

An automated Python script can be used to test multiple sensitive files and print partial contents to confirm the vulnerability.

  • Use curl or similar HTTP clients to send requests like: `curl 'http://<target>/api/memory/content?filename=../../../../../../../etc/passwd'`
  • Check for responses containing sensitive system files or unmasked API keys in the response body.
Mitigation Strategies

The immediate and recommended mitigation is to upgrade the affected component to version 2.0.5 or later, which includes a security fix that prevents path traversal by validating and restricting file paths.

The fix involves enhancing the `_resolve_path` method to resolve absolute paths and ensure they remain within allowed directories, raising errors if traversal outside is detected.

Additional mitigation steps include implementing strict path canonicalization, sanitizing the `filename` parameter to reject `..` sequences, adding authentication to all Web Console endpoints, and restricting accessible files via an allowlist of permitted extensions.

  • Upgrade to chatgpt-on-wechat version 2.0.5 using commands like `cow update` or `./run.sh update`.
  • If Cow CLI is not installed, install it with `pip3 install -e .` in the project root.
  • Apply patches or updates that implement path validation and error handling as described in the fix commit.
Compliance Impact

The vulnerability allows unauthenticated remote attackers to perform path traversal attacks to read arbitrary files on the server, including sensitive system files and application configuration files containing unmasked API keys.

This exposure of sensitive data, such as API keys and potentially personal or confidential information stored on the server, could lead to unauthorized access and data breaches.

Such breaches may violate data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive data, as well as protection against unauthorized disclosure.

Therefore, this vulnerability poses a risk to compliance with these regulations by potentially enabling unauthorized disclosure of protected information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5998. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart