CVE-2023-34094: ChuanhuChatGPT: config exposure leaks API keys
MEDIUM PoC AVAILABLEChuanhuChatGPT deployments without authentication configured expose their config.json file to any unauthenticated network attacker, directly leaking LLM API keys stored in plaintext. The attack is trivial — no credentials, no user interaction, just a network request — and the exposed file typically contains API keys for OpenAI or other LLM providers. While not in CISA KEV and scored medium (CVSS 5.3), the practical blast radius exceeds the rating: stolen keys enable unauthorized model inference, cost harvesting against the victim's account, and potential access to associated provider resources such as fine-tuned models or uploaded files. Update to commit bfac445 or later, enable access authentication immediately, and rotate any API keys that may have been exposed.
What is the risk?
Practical risk exceeds the CVSS 5.3 medium rating. All four network-facing exploitability factors are worst-case: AV:N, AC:L, PR:N, UI:N — making this trivially exploitable by any unauthenticated actor with network reach. The real damage is downstream: stolen LLM API keys enable cost harvesting, unauthorized inference, and potential pivot into associated provider accounts. Self-hosted deployments in enterprise or research environments assuming network perimeter protection are silently exposed if the service is accidentally internet-facing or if an internal threat actor is present.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| ChuanhuChatGPT | pip | — | No patch |
Do you use ChuanhuChatGPT? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: upgrade to commit bfac445 or any release after 20230526 — the vulnerability is fixed there.
-
Workaround: enable access authentication on all ChuanhuChatGPT deployments immediately; do not rely on network perimeter alone.
-
Key rotation: rotate all LLM API keys stored in config.json for any instance potentially reachable from untrusted networks.
-
Detection: audit web server access logs for GET requests to config.json; any HTTP 200 response to an unexpected IP indicates potential compromise.
-
Inventory: scan internal network for unauthenticated ChuanhuChatGPT instances via port scanning and UI fingerprinting.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2023-34094?
ChuanhuChatGPT deployments without authentication configured expose their config.json file to any unauthenticated network attacker, directly leaking LLM API keys stored in plaintext. The attack is trivial — no credentials, no user interaction, just a network request — and the exposed file typically contains API keys for OpenAI or other LLM providers. While not in CISA KEV and scored medium (CVSS 5.3), the practical blast radius exceeds the rating: stolen keys enable unauthorized model inference, cost harvesting against the victim's account, and potential access to associated provider resources such as fine-tuned models or uploaded files. Update to commit bfac445 or later, enable access authentication immediately, and rotate any API keys that may have been exposed.
Is CVE-2023-34094 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2023-34094, increasing the risk of exploitation.
How to fix CVE-2023-34094?
1. Patch: upgrade to commit bfac445 or any release after 20230526 — the vulnerability is fixed there. 2. Workaround: enable access authentication on all ChuanhuChatGPT deployments immediately; do not rely on network perimeter alone. 3. Key rotation: rotate all LLM API keys stored in config.json for any instance potentially reachable from untrusted networks. 4. Detection: audit web server access logs for GET requests to config.json; any HTTP 200 response to an unexpected IP indicates potential compromise. 5. Inventory: scan internal network for unauthenticated ChuanhuChatGPT instances via port scanning and UI fingerprinting.
What systems are affected by CVE-2023-34094?
This vulnerability affects the following AI/ML architecture patterns: self-hosted LLM chat interfaces, LLM framework deployments, AI tool configuration management.
What is the CVSS score for CVE-2023-34094?
CVE-2023-34094 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.62%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0040 AI Model Inference API Access AML.T0049 Exploit Public-Facing Application AML.T0055 Unsecured Credentials AML.T0083 Credentials from AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
ChuanhuChatGPT is a graphical user interface for ChatGPT and many large language models. A vulnerability in versions 20230526 and prior allows unauthorized access to the config.json file of the privately deployed ChuanghuChatGPT project, when authentication is not configured. The attacker can exploit this vulnerability to steal the API keys in the configuration file. The vulnerability has been fixed in commit bfac445. As a workaround, setting up access authentication can help mitigate the vulnerability.
Exploitation Scenario
An attacker scans internet-facing hosts for ChuanhuChatGPT deployments identifiable by UI fingerprinting or known default ports. On a deployment without authentication configured, they issue a direct HTTP GET to the config.json endpoint. The server returns the file in plaintext, including OpenAI or other LLM provider API keys. The attacker then uses these keys to run automated workloads under the victim's account — exhausting API credits, querying the model with sensitive prompts, or enumerating provider-side assets such as fine-tuned models and uploaded files. If the key carries organization-level permissions, the attacker gains visibility into the full API usage history and any data stored with the provider.
Weaknesses (CWE)
CWE-306 Missing Authentication for Critical Function
Primary
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
- [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2024-3234 9.8 ChuanhuChatGPT: path traversal exposes LLM API keys
Same package: chuanhuchatgpt CVE-2024-10650 ChuanhuChatGPT: DoS via multipart payload exhaustion
Same package: chuanhuchatgpt CVE-2024-10707 ChuanhuChatGPT: path traversal exposes server files unauthed
Same package: chuanhuchatgpt CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Data Extraction CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Data Extraction