| Título | assafelovic gpt-researcher 3.4.3 Unrestricted Access |
|---|
| Descripción | gpt-researcher v3.4.3 and earlier versions expose all HTTP REST API endpoints and the WebSocket interface without any form of authentication or authorization. A total of 14 endpoints — including file upload, file deletion, research task generation (which triggers expensive LLM API calls), report access, and chat — are accessible to any unauthenticated network user. This allows an attacker to upload arbitrary files, delete existing files, exfiltrate all research reports, consume API credits by triggering unlimited research tasks, and manipulate server-side configuration. |
|---|
| Fuente | ⚠️ https://github.com/assafelovic/gpt-researcher/issues/1695 |
|---|
| Usuario | Yu-Bao (UID 96702) |
|---|
| Sumisión | 2026-03-23 04:11 (hace 1 mes) |
|---|
| Moderación | 2026-04-05 21:12 (14 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 355420 [assafelovic gpt-researcher hasta 3.4.3 HTTP REST API Endpoint autenticación débil] |
|---|
| Puntos | 20 |
|---|