| Title | assafelovic gpt-researcher 3.4.3 Unrestricted Access |
|---|
| Description | gpt-researcher v3.4.3 and earlier versions expose all HTTP REST API endpoints and the WebSocket interface without any form of authentication or authorization. A total of 14 endpoints — including file upload, file deletion, research task generation (which triggers expensive LLM API calls), report access, and chat — are accessible to any unauthenticated network user. This allows an attacker to upload arbitrary files, delete existing files, exfiltrate all research reports, consume API credits by triggering unlimited research tasks, and manipulate server-side configuration. |
|---|
| Source | ⚠️ https://github.com/assafelovic/gpt-researcher/issues/1695 |
|---|
| User | Yu-Bao (UID 96702) |
|---|
| Submission | 03/23/2026 04:11 (14 days ago) |
|---|
| Moderation | 04/05/2026 21:12 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 355420 [assafelovic gpt-researcher up to 3.4.3 HTTP REST API Endpoint missing authentication] |
|---|
| Points | 20 |
|---|