CVE-2026-10214
Deferred Deferred - Pending Action
Command Injection in zhayujie chatgpt-on-wechat

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A weakness has been identified in zhayujie chatgpt-on-wechat up to 2.0.8. This issue affects the function _get_safety_warning of the file agent/tools/bash/bash.py of the component Bash Tool. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.0.9 is capable of addressing this issue. This patch is called 16d9b449c9aa53ccee44144a762a2737d7ba4fc4. It is recommended to upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10214
EUVD
EUVD-2026-33535
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zhayujie chatgpt-on-wechat to 2.0.8 (inc)
zhayujie chatgpt-on-wechat 2.0.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10214 is a critical vulnerability in the chatgpt-on-wechat application (versions up to 2.0.8) that allows remote attackers to execute arbitrary operating system commands. The issue exists in the Bash Tool component, specifically in the _get_safety_warning function, which uses a weak safety filter relying on a blocklist of exact-match patterns. This filter can be bypassed by crafted inputs, enabling attackers to inject OS commands remotely without authentication.

An attacker can exploit this vulnerability by sending specially crafted prompts to the unauthenticated HTTP /message interface, tricking the large language model (LLM) agent into invoking the Bash tool and executing arbitrary commands with the application's privileges, often root in Docker environments. This leads to complete system compromise.

Impact Analysis

This vulnerability can have severe impacts including complete system compromise. An attacker can execute arbitrary OS commands remotely, potentially gaining root privileges, especially in Docker deployments.

  • Full system takeover allowing lateral movement within the network.
  • Data theft or unauthorized access to sensitive information.
  • Hijacking of API keys or other credentials stored or accessible by the application.
Detection Guidance

The vulnerability can be detected by monitoring for attempts to exploit the unauthenticated HTTP /message interface, where crafted prompts trigger the Bash tool to execute arbitrary OS commands. Detection involves checking for unusual or unauthorized shell command executions initiated by the chatgpt-on-wechat application, especially those that bypass weak safety filters.

Since the exploit involves remote command execution via the Bash tool, you can look for suspicious network requests to the /message endpoint and unexpected shell activity under the privileges of the application.

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP requests targeting the /message interface.
  • Check application logs for unusual commands or errors related to the Bash tool execution.
  • Run commands to detect suspicious processes or shell commands spawned by the chatgpt-on-wechat application, for example:
  • ps aux | grep chatgpt-on-wechat
  • lsof -i :<port_number> (replace <port_number> with the port used by the application)
  • grep -i 'bash.py' /path/to/chatgpt-on-wechat/logs/*

Additionally, since proof-of-concept scripts exist, running them in a controlled environment can help confirm if your system is vulnerable.

Mitigation Strategies

The primary and recommended immediate mitigation step is to upgrade the chatgpt-on-wechat application to version 2.0.9 or later, where the vulnerability has been patched.

This update includes security improvements such as binding the web console to localhost (127.0.0.1) by default, which restricts remote access and reduces exposure.

Additional mitigation steps include:

  • Restrict network access to the application, especially the /message interface, to trusted hosts only.
  • Set strong passwords for web console access if public access (0.0.0.0) is necessary.
  • Disable or sandbox the Bash tool component if it is not required.
  • Monitor logs and network traffic for suspicious activity related to command execution.
Compliance Impact

The vulnerability allows unauthenticated remote OS command injection, leading to complete system compromise including potential data theft and lateral movement within the affected environment.

Such a compromise could result in unauthorized access to sensitive personal or protected health information, which would negatively impact compliance with data protection regulations like GDPR and HIPAA.

Exploitation of this vulnerability could lead to breaches of confidentiality, integrity, and availability of data, thereby violating regulatory requirements for safeguarding sensitive information.

Mitigating the vulnerability by upgrading to version 2.0.9 is recommended to reduce the risk of non-compliance due to security breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10214. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart