CVE-2026-4958 | OpenBMB XAgent 1.0.0 WebSocket Endpoint replayer.py ReplayServer.on_connect/ReplayServer.send_data interaction_id authorization

A vulnerability described as problematic has been identified in OpenBMB XAgent 1.0.0. This affects the function ReplayServer.on_connect/ReplayServer.send_data of the file XAgentServer/application/websockets/replayer.py of the component WebSocket Endpoint. Such manipulation of the argument interaction_id leads to authorization bypass.

This vulnerability is traded as CVE-2026-4958. The attack may be launched remotely. Furthermore, there is an exploit available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-4958 | OpenBMB XAgent 1.0.0 WebSocket Endpoint replayer.py ReplayServer.on_connect/ReplayServer.send_data interaction_id authorization

Post correlati

CVE-2024-1814 | Spectra Plugin up to 2.12.8 on WordPress Testimonial Block cross site scripting

CVE-2024-45066 | Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE POST Request command injection (icsa-24-268-04)

CVE-2024-20833 | Samsung Devices pub_crypto_recv_msg race condition

CVE-2025-40595 | SonicWall SMA1000 up to 12.4.3-02925 Appliance Work Place Interface server-side request forgery (SNWLID-2025-0010)