OpenBMB XAgent ShareServer WebSocket Endpoint share.py check_user missing authentication

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interaction_id results in missing authentication. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2026-4959

Source VulDB

Published Mar 27, 2026 at 15:31

Modified Mar 31, 2026 at 15:09

Affected Product

Vendor OpenBMB

Product XAgent

Version 1.0.0

Affected Versions OpenBMB XAgent 1.0.0

CWE Classification

CWE-306 CWE-287

References

{
    "lastseen": "",
    "description": "A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interaction_id results in missing authentication. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2026-03-27T15:31:29.753Z",
    "modified": "2026-03-31T15:09:19.380Z",
    "type": "cve",
    "title": "OpenBMB XAgent ShareServer WebSocket Endpoint share.py check_user missing authentication",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.353836\nhttps://vuldb.com/?ctiid.353836\nhttps://vuldb.com/?submit.777622\nhttps://gist.github.com/YLChen-007/531ec6b169f4b9ecbc8c2f0b2cd7c5ee",
    "id": "CVE-2026-4959",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306",
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "OpenBMB XAgent 1.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "XAgent",
    "version": "1.0.0",
    "vendor": "OpenBMB",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenBMB XAgent ShareServer WebSocket Endpoint share.py check_user missing authentication_CVE-2026-4959