CVE-2026-4957

A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handle_tool_call of the file XAgent/function_handler.py of the component API Key Handler. This manipulation of the argument api_key causes sensitive information in log files. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3 2.7 LOW
CVSS v2.0 3.3 LOW

2.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

3.3^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:L/Au:M/C:P/I:N/A:N

Exploitability : 6.4 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication MULTIPLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://gist.github.com/YLChen-007/6279f3de0c2dff7732eaaf820843b562	Third Party Advisory Exploit
https://vuldb.com/?ctiid.353834	Permissions Required VDB Entry
https://vuldb.com/?id.353834	Permissions Required VDB Entry
https://vuldb.com/?submit.777615	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openbmb:xagent:1.0.0:*:*:*:*:*:*:*

History

29 Apr 2026, 17:03

Type	Values Removed	Values Added
References	~~() https://gist.github.com/YLChen-007/6279f3de0c2dff7732eaaf820843b562 -~~	() https://gist.github.com/YLChen-007/6279f3de0c2dff7732eaaf820843b562 - Third Party Advisory, Exploit
References	~~() https://vuldb.com/?ctiid.353834 -~~	() https://vuldb.com/?ctiid.353834 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.353834 -~~	() https://vuldb.com/?id.353834 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?submit.777615 -~~	() https://vuldb.com/?submit.777615 - Issue Tracking, Third Party Advisory
CPE		cpe:2.3:a:openbmb:xagent:1.0.0:::::::*
First Time		Openbmb Openbmb xagent

27 Mar 2026, 15:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-27 15:17

Updated : 2026-04-29 17:03

NVD link : CVE-2026-4957

Mitre link : CVE-2026-4957

CVE.ORG link : CVE-2026-4957

JSON object : View

Products Affected

openbmb

xagent

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-532

Insertion of Sensitive Information into Log File

2.7 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

3.3 /10

Access Vector NETWORK

Access Complexity LOW

Authentication MULTIPLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2026-4957

2.7^/10

3.3^/10

Attach tags to `CVE-2026-4957`