CVE-2026-10214
Command Injection in zhayujie chatgpt-on-wechat
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zhayujie | chatgpt-on-wechat | to 2.0.8 (inc) |
| zhayujie | chatgpt-on-wechat | 2.0.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10214 is a critical vulnerability in the chatgpt-on-wechat application (versions up to 2.0.8) that allows remote attackers to execute arbitrary operating system commands. The issue exists in the Bash Tool component, specifically in the _get_safety_warning function, which uses a weak safety filter relying on a blocklist of exact-match patterns. This filter can be bypassed by crafted inputs, enabling attackers to inject OS commands remotely without authentication.
An attacker can exploit this vulnerability by sending specially crafted prompts to the unauthenticated HTTP /message interface, tricking the large language model (LLM) agent into invoking the Bash tool and executing arbitrary commands with the application's privileges, often root in Docker environments. This leads to complete system compromise.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete system compromise. An attacker can execute arbitrary OS commands remotely, potentially gaining root privileges, especially in Docker deployments.
- Full system takeover allowing lateral movement within the network.
- Data theft or unauthorized access to sensitive information.
- Hijacking of API keys or other credentials stored or accessible by the application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by monitoring for attempts to exploit the unauthenticated HTTP /message interface, where crafted prompts trigger the Bash tool to execute arbitrary OS commands. Detection involves checking for unusual or unauthorized shell command executions initiated by the chatgpt-on-wechat application, especially those that bypass weak safety filters.
Since the exploit involves remote command execution via the Bash tool, you can look for suspicious network requests to the /message endpoint and unexpected shell activity under the privileges of the application.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP requests targeting the /message interface.
- Check application logs for unusual commands or errors related to the Bash tool execution.
- Run commands to detect suspicious processes or shell commands spawned by the chatgpt-on-wechat application, for example:
- ps aux | grep chatgpt-on-wechat
- lsof -i :<port_number> (replace <port_number> with the port used by the application)
- grep -i 'bash.py' /path/to/chatgpt-on-wechat/logs/*
Additionally, since proof-of-concept scripts exist, running them in a controlled environment can help confirm if your system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended immediate mitigation step is to upgrade the chatgpt-on-wechat application to version 2.0.9 or later, where the vulnerability has been patched.
This update includes security improvements such as binding the web console to localhost (127.0.0.1) by default, which restricts remote access and reduces exposure.
Additional mitigation steps include:
- Restrict network access to the application, especially the /message interface, to trusted hosts only.
- Set strong passwords for web console access if public access (0.0.0.0) is necessary.
- Disable or sandbox the Bash tool component if it is not required.
- Monitor logs and network traffic for suspicious activity related to command execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote OS command injection, leading to complete system compromise including potential data theft and lateral movement within the affected environment.
Such a compromise could result in unauthorized access to sensitive personal or protected health information, which would negatively impact compliance with data protection regulations like GDPR and HIPAA.
Exploitation of this vulnerability could lead to breaches of confidentiality, integrity, and availability of data, thereby violating regulatory requirements for safeguarding sensitive information.
Mitigating the vulnerability by upgrading to version 2.0.9 is recommended to reduce the risk of non-compliance due to security breaches.