CVE-2026-7643: Permissive Cross-domain Policy with Untrusted Domains in ChatGPTNextWeb NextChat
CVE-2026-7643 is a medium severity vulnerability in ChatGPTNextWeb NextChat versions up to 2. 16. 1. It involves a permissive cross-domain policy that allows untrusted domains to interact with the application due to a flaw in an API endpoint related to Next. js. The vulnerability can be exploited remotely without privileges or user interaction. Although an exploit has been published, the vendor has not yet responded or provided a fix. The CVSS 4. 0 base score is 5. 3, reflecting moderate impact and ease of exploitation.
AI Analysis
Technical Summary
This vulnerability in ChatGPTNextWeb NextChat (<= 2.16.1) arises from a permissive cross-domain policy implemented in an API endpoint within the Next.js component. This misconfiguration allows untrusted domains to bypass same-origin restrictions, potentially enabling unauthorized cross-origin interactions. The flaw can be triggered remotely without authentication or user interaction, increasing its risk profile. Despite early reporting, the vendor has not issued a patch or official remediation guidance. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, no confidentiality or availability impact, and low integrity impact.
Potential Impact
The vulnerability permits untrusted domains to interact with the affected application due to an overly permissive cross-domain policy. This could lead to unauthorized cross-origin requests or data exposure depending on the application context. However, the CVSS score and vector indicate no direct confidentiality or availability impact, and only low integrity impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded or released a fix, users should monitor official channels for updates. In the meantime, restricting cross-origin policies manually or applying web application firewall rules to limit cross-domain requests may reduce exposure. Avoid deploying affected versions in sensitive environments until a fix is available.
CVE-2026-7643: Permissive Cross-domain Policy with Untrusted Domains in ChatGPTNextWeb NextChat
Description
CVE-2026-7643 is a medium severity vulnerability in ChatGPTNextWeb NextChat versions up to 2. 16. 1. It involves a permissive cross-domain policy that allows untrusted domains to interact with the application due to a flaw in an API endpoint related to Next. js. The vulnerability can be exploited remotely without privileges or user interaction. Although an exploit has been published, the vendor has not yet responded or provided a fix. The CVSS 4. 0 base score is 5. 3, reflecting moderate impact and ease of exploitation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in ChatGPTNextWeb NextChat (<= 2.16.1) arises from a permissive cross-domain policy implemented in an API endpoint within the Next.js component. This misconfiguration allows untrusted domains to bypass same-origin restrictions, potentially enabling unauthorized cross-origin interactions. The flaw can be triggered remotely without authentication or user interaction, increasing its risk profile. Despite early reporting, the vendor has not issued a patch or official remediation guidance. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, no confidentiality or availability impact, and low integrity impact.
Potential Impact
The vulnerability permits untrusted domains to interact with the affected application due to an overly permissive cross-domain policy. This could lead to unauthorized cross-origin requests or data exposure depending on the application context. However, the CVSS score and vector indicate no direct confidentiality or availability impact, and only low integrity impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded or released a fix, users should monitor official channels for updates. In the meantime, restricting cross-origin policies manually or applying web application firewall rules to limit cross-domain requests may reduce exposure. Avoid deploying affected versions in sensitive environments until a fix is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-01T16:33:59.113Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f612efcbff5d8610ef5870
Added to database: 5/2/2026, 3:06:23 PM
Last enriched: 5/2/2026, 3:21:32 PM
Last updated: 5/2/2026, 9:20:40 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.