A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interaction_id results in missing authentication. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
| Link | Resource |
|---|---|
| https://gist.github.com/YLChen-007/531ec6b169f4b9ecbc8c2f0b2cd7c5ee | Exploit Third Party Advisory |
| https://vuldb.com/?ctiid.353836 | Permissions Required VDB Entry |
| https://vuldb.com/?id.353836 | Permissions Required VDB Entry |
| https://vuldb.com/?submit.777622 | Issue Tracking Third Party Advisory |
Configurations
History
29 Apr 2026, 16:56
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Openbmb
Openbmb xagent |
|
| References | () https://gist.github.com/YLChen-007/531ec6b169f4b9ecbc8c2f0b2cd7c5ee - Exploit, Third Party Advisory | |
| References | () https://vuldb.com/?ctiid.353836 - Permissions Required, VDB Entry | |
| References | () https://vuldb.com/?id.353836 - Permissions Required, VDB Entry | |
| References | () https://vuldb.com/?submit.777622 - Issue Tracking, Third Party Advisory | |
| CPE | cpe:2.3:a:openbmb:xagent:1.0.0:*:*:*:*:*:*:* |
27 Mar 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-27 16:16
Updated : 2026-04-29 16:56
NVD link : CVE-2026-4959
Mitre link : CVE-2026-4959
CVE.ORG link : CVE-2026-4959
JSON object : View
Products Affected
openbmb
- xagent