{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6129", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-12T04:23:09.399Z", "datePublished": "2026-04-12T19:45:12.190Z", "dateUpdated": "2026-04-15T15:25:46.572Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-12T19:45:12.190Z"}, "title": "zhayujie chatgpt-on-wechat CowAgent Agent Mode Service missing authentication", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-306", "lang": "en", "description": "Missing Authentication"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "Improper Authentication"}]}], "affected": [{"vendor": "zhayujie", "product": "chatgpt-on-wechat CowAgent", "versions": [{"version": "2.0.0", "status": "affected"}, {"version": "2.0.1", "status": "affected"}, {"version": "2.0.2", "status": "affected"}, {"version": "2.0.3", "status": "affected"}, {"version": "2.0.4", "status": "affected"}], "modules": ["Agent Mode Service"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects an unknown function of the component Agent Mode Service. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR"}}], "timeline": [{"time": "2026-04-12T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-12T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-12T06:28:13.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "York Shen (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/356992", "name": "VDB-356992 | zhayujie chatgpt-on-wechat CowAgent Agent Mode Service missing authentication", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/356992/cti", "name": "VDB-356992 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/795272", "name": "Submit #795272 | zhayujie chatgpt-on-wechat (CowAgent) 2.0.4 Unauthenticated Remote Code Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zhayujie/chatgpt-on-wechat/issues/2741", "tags": ["issue-tracking"]}, {"url": "https://github.com/zhayujie/chatgpt-on-wechat/issues/2741#issue-4191903266", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T15:25:33.141825Z", "id": "CVE-2026-6129", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:25:46.572Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6129", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T15:25:33.141825Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:25:41.317Z"}}], "cna": {"title": "zhayujie chatgpt-on-wechat CowAgent Agent Mode Service missing authentication", "credits": [{"lang": "en", "type": "reporter", "value": "York Shen (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR"}}], "affected": [{"vendor": "zhayujie", "modules": ["Agent Mode Service"], "product": "chatgpt-on-wechat CowAgent", "versions": [{"status": "affected", "version": "2.0.0"}, {"status": "affected", "version": "2.0.1"}, {"status": "affected", "version": "2.0.2"}, {"status": "affected", "version": "2.0.3"}, {"status": "affected", "version": "2.0.4"}]}], "timeline": [{"lang": "en", "time": "2026-04-12T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-12T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-12T06:28:13.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356992", "name": "VDB-356992 | zhayujie chatgpt-on-wechat CowAgent Agent Mode Service missing authentication", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/356992/cti", "name": "VDB-356992 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/795272", "name": "Submit #795272 | zhayujie chatgpt-on-wechat (CowAgent) 2.0.4 Unauthenticated Remote Code Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zhayujie/chatgpt-on-wechat/issues/2741", "tags": ["issue-tracking"]}, {"url": "https://github.com/zhayujie/chatgpt-on-wechat/issues/2741#issue-4191903266", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects an unknown function of the component Agent Mode Service. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "Missing Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "Improper Authentication"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-12T19:45:12.190Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6129", "state": "PUBLISHED", "dateUpdated": "2026-04-15T15:25:46.572Z", "dateReserved": "2026-04-12T04:23:09.399Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-12T19:45:12.190Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects an unknown function of the component Agent Mode Service. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-6129", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-12T20:16:19.227", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/zhayujie/chatgpt-on-wechat/issues/2741"}, {"source": "cna@vuldb.com", "url": "https://github.com/zhayujie/chatgpt-on-wechat/issues/2741#issue-4191903266"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/795272"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356992"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356992/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "chatgpt-on-wechat CowAgent", "source": "cna", "vendor": "zhayujie"}, "product": "chatgpt-on-wechat_cowagent", "vendor": "zhayujie"}], "analysis": {"en": {"generated_at": "2026-04-12T21:20:22.511039+00:00", "value": {"mitigation_remediation": ["Upgrade to a version newer than 2.0.4 that implements authentication for the Agent Mode Service", "If no update is available, disable or remove the Agent Mode Service or restrict network access to it", "Monitor application logs for suspicious activity related to the Agent Mode Service", "Apply firewall or segmentation rules to block unintended access until the vulnerability is resolved"], "summary": {"action": "Apply patch", "impact": "Unauthorized remote access via missing authentication"}, "threat_synthesis": {"affected_systems": "Products affected include the ChatGPT on WeChat CowAgent released by the developer zhayujie. All versions up to 2.0.4 are vulnerable, as documented in the advisory and issue reports. Users of these releases should verify their version and seek an updated release that addresses the authentication bypass.", "description_and_impact": "The vulnerability resides in the CowAgent component of the ChatGPT on WeChat application. An unknown function within the Agent Mode Service fails to enforce authentication, allowing an attacker to execute that function without any credentials. This omission can grant the attacker unauthorized control over the service, potentially exposing sensitive data, altering service behavior, or enabling further exploitation within the host system.", "risk_and_exploitability": "The CVSS base score of 6.9 indicates moderate to high impact. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet become widely exploited. However, because the flaw can be triggered remotely, an attacker who can reach the Agent Mode Service endpoint could potentially exploit it. The lack of authentication makes the attack path simple, but the exact prerequisites (e.g., specific request format) remain undetailed; the available references indicate prevention is currently limited to applying an update."}}}}, "created": "2026-04-13T12:38:11.637496+00:00", "updated": "2026-04-13T12:53:59.300157+00:00", "vendors": ["zhayujie", "zhayujie$PRODUCT$chatgpt-on-wechat_cowagent"]}