| Título | assafelovic gpt-researcher 3.4.3 Unrestricted Access |
|---|
| Descrição | gpt-researcher v3.4.3 and earlier versions expose all HTTP REST API endpoints and the WebSocket interface without any form of authentication or authorization. A total of 14 endpoints — including file upload, file deletion, research task generation (which triggers expensive LLM API calls), report access, and chat — are accessible to any unauthenticated network user. This allows an attacker to upload arbitrary files, delete existing files, exfiltrate all research reports, consume API credits by triggering unlimited research tasks, and manipulate server-side configuration. |
|---|
| Fonte | ⚠️ https://github.com/assafelovic/gpt-researcher/issues/1695 |
|---|
| Utilizador | Yu-Bao (UID 96702) |
|---|
| Submissão | 23/03/2026 04h11 (há 1 mês) |
|---|
| Moderação | 05/04/2026 21h12 (14 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 355420 [assafelovic gpt-researcher até 3.4.3 HTTP REST API Endpoint Autenticação fraca] |
|---|
| Pontos | 20 |
|---|