CVE-2026-7844: auth bypass on file service

CISO Take

Langchain-Chatchat ≤0.3.1.3 exposes file management API endpoints—list, retrieve, download, and delete—with no authentication required, allowing any adjacent-network attacker to access all files stored by the application without credentials. In typical enterprise deployments where Chatchat serves as an LLM knowledge base front-end, those files often include RAG source documents, internal PDFs, prompt templates, and potentially sensitive business data ingested for context retrieval. Despite a medium CVSS score (6.3), the EPSS places this in the top 91st percentile for exploitation likelihood, and a public PoC write-up is already on GitHub—meaning script-level exploitation is trivial for anyone on the same network segment. Until the vendor ships a patch (they have not responded to the disclosure), immediately firewall the file service port to authorized IP ranges, enforce authentication at the reverse proxy layer, and audit file access logs for anomalous enumeration patterns.

Sources: NVD EPSS ATLAS GitHub Advisory

What is the risk?

Effective risk is elevated above the medium CVSS score in enterprise AI environments. The adjacent-network constraint prevents Internet-scale exploitation but is easily satisfied in corporate office networks, shared cloud VPC subnets, or environments with a single compromised internal workstation. The complete absence of authentication (CWE-306) is a fundamental control failure—no brute force or credential theft required. The public PoC and top-91st-percentile EPSS signal the security community has noticed; exploitation activity should be expected on LANs running this software. Vendor non-response to the responsible disclosure increases remediation uncertainty and extends exposure window.

How does the attack unfold?

Network Discovery

Attacker scans the local network for open ports associated with Langchain-Chatchat service to identify a viable target.

AML.T0006

Authentication Bypass

Attacker calls unauthenticated file list endpoint directly, receiving a full directory listing of all stored documents without any credential challenge.

AML.T0049

Data Exfiltration

Attacker iterates the file listing and calls retrieve_file_content for each document, downloading the entire RAG knowledge base including sensitive business documents.

AML.T0025

Knowledge Base Destruction

Attacker invokes delete_file on critical documents to erase the RAG context, degrading LLM response quality and causing downstream application failures.

Network Discovery

Attacker scans the local network for open ports associated with Langchain-Chatchat service to identify a viable target.

AML.T0006

Authentication Bypass

Attacker calls unauthenticated file list endpoint directly, receiving a full directory listing of all stored documents without any credential challenge.

AML.T0049

Data Exfiltration

Attacker iterates the file listing and calls retrieve_file_content for each document, downloading the entire RAG knowledge base including sensitive business documents.

AML.T0025

Knowledge Base Destruction

Attacker invokes delete_file on critical documents to erase the RAG context, degrading LLM response quality and causing downstream application failures.

How severe is it?

CVSS 3.1

6.3 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 24% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Adjacent

AC Low

PR None

UI None

S Unchanged

C Low

I Low

A Low

What should I do?

1 step

1) Immediately restrict network access to Chatchat file service ports via host-based firewall or network ACL—allow only known-good IP ranges. 2) Deploy authentication enforcement at the reverse proxy layer (nginx auth_basic, Caddy forward_auth, or equivalent) as a compensating control. 3) If file service functionality is non-essential to the deployment, disable or comment out the affected routes in openai_routes.py. 4) Audit access logs for the file endpoints (list_files, retrieve_file, retrieve_file_content, delete_file) for unauthorized access patterns—focus on source IPs outside normal client ranges. 5) Monitor GitHub issue #5465 and the chatchat-space/Langchain-Chatchat repo for a patched release; upgrade immediately when available. 6) Inventory what files are stored in the service and assess confidentiality impact if exfiltration already occurred.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Framework RAG AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0085.000 - RAG Databases

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - Access control to AI system components

NIST AI RMF

MS-2.5 - AI system security monitoring

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-7844?

Langchain-Chatchat ≤0.3.1.3 exposes file management API endpoints—list, retrieve, download, and delete—with no authentication required, allowing any adjacent-network attacker to access all files stored by the application without credentials. In typical enterprise deployments where Chatchat serves as an LLM knowledge base front-end, those files often include RAG source documents, internal PDFs, prompt templates, and potentially sensitive business data ingested for context retrieval. Despite a medium CVSS score (6.3), the EPSS places this in the top 91st percentile for exploitation likelihood, and a public PoC write-up is already on GitHub—meaning script-level exploitation is trivial for anyone on the same network segment. Until the vendor ships a patch (they have not responded to the disclosure), immediately firewall the file service port to authorized IP ranges, enforce authentication at the reverse proxy layer, and audit file access logs for anomalous enumeration patterns.

Is CVE-2026-7844 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-7844, increasing the risk of exploitation.

How to fix CVE-2026-7844?

1) Immediately restrict network access to Chatchat file service ports via host-based firewall or network ACL—allow only known-good IP ranges. 2) Deploy authentication enforcement at the reverse proxy layer (nginx auth_basic, Caddy forward_auth, or equivalent) as a compensating control. 3) If file service functionality is non-essential to the deployment, disable or comment out the affected routes in openai_routes.py. 4) Audit access logs for the file endpoints (list_files, retrieve_file, retrieve_file_content, delete_file) for unauthorized access patterns—focus on source IPs outside normal client ranges. 5) Monitor GitHub issue #5465 and the chatchat-space/Langchain-Chatchat repo for a patched release; upgrade immediately when available. 6) Inventory what files are stored in the service and assess confidentiality impact if exfiltration already occurred.

What systems are affected by CVE-2026-7844?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, LLM application servers, document processing pipelines, agent frameworks.

What is the CVSS score for CVE-2026-7844?

CVE-2026-7844 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 0.32%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesLLM application serversdocument processing pipelinesagent frameworks

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0085.000 RAG Databases

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.5

NIST AI RMF: MS-2.5

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Compatible File Service. The manipulation results in missing authentication. The attacker must have access to the local network to execute the attack. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Exploitation Scenario

An attacker with access to the corporate network (insider, guest WiFi, or via a compromised workstation) identifies a Langchain-Chatchat deployment through passive observation or light port scanning. Using the public PoC from GitHub, they call GET /files/list_files without any authorization header and receive a full listing of uploaded documents—including internal compliance PDFs, customer-facing knowledge base files, and LLM system prompt templates. They iterate through the listing, calling retrieve_file_content for each file to exfiltrate the entire RAG knowledge base to an external system. As a final step, they invoke delete_file on critical documents, causing the LLM application to lose its retrieval context and begin hallucinating responses—a degradation that may go undetected for hours or days in a production deployment.

Weaknesses (CWE)

CWE-287 Improper Authentication Primary CWE-306 Missing Authentication for Critical Function Primary

CWE-287 — Improper Authentication: When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.