CVE-2026-4959 | OpenBMB XAgent 1.0.0 ShareServer WebSocket Endpoint share.py check_user interaction_id missing authentication

A vulnerability classified as critical has been found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interaction_id results in missing authentication.

This vulnerability is known as CVE-2026-4959. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-4959 | OpenBMB XAgent 1.0.0 ShareServer WebSocket Endpoint share.py check_user interaction_id missing authentication

Post correlati

CVE-2024-6172 | Icegram Email Subscribers Plugin up to 5.7.25 on WordPress Unsubscribe sql injection

CVE-2025-7647 | run-llama llama_index up to 0.12.x on Linux /tmp/llama_index get_cache_dir temp file

CVE-2024-36745 | Oneflow 0.9.1 oneflow.index_select denial of service

CVE-2025-59456 | JetBrains TeamCity up to 2025.07.1 Project Archive Upload path traversal