CVE-2026-7177

A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file app/api/[provider]/[...path]/route.ts. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CVSS v3 7.3 HIGH
CVSS v2.0 7.5 HIGH

7.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://gist.github.com/YLChen-007/da6b00024f5b7e1d4fa0658c19b77fbf	Exploit Third Party Advisory
https://github.com/ChatGPTNextWeb/NextChat/	Product
https://github.com/ChatGPTNextWeb/NextChat/issues/6742	Issue Tracking
https://vuldb.com/submit/797645	Exploit Third Party Advisory
https://vuldb.com/vuln/359779	Third Party Advisory VDB Entry
https://vuldb.com/vuln/359779/cti	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextchat:nextchat:2.16.0:::::::*
	cpe:2.3:a:nextchat:nextchat:2.16.1:::::::*

History

30 Apr 2026, 19:26

Type	Values Removed	Values Added
First Time		Nextchat Nextchat nextchat
CPE		cpe:2.3:a:nextchat:nextchat:2.16.1:::::::* cpe:2.3:a:nextchat:nextchat:2.16.0:::::::*
References	~~() https://gist.github.com/YLChen-007/da6b00024f5b7e1d4fa0658c19b77fbf -~~	() https://gist.github.com/YLChen-007/da6b00024f5b7e1d4fa0658c19b77fbf - Exploit, Third Party Advisory
References	~~() https://github.com/ChatGPTNextWeb/NextChat/ -~~	() https://github.com/ChatGPTNextWeb/NextChat/ - Product
References	~~() https://github.com/ChatGPTNextWeb/NextChat/issues/6742 -~~	() https://github.com/ChatGPTNextWeb/NextChat/issues/6742 - Issue Tracking
References	~~() https://vuldb.com/submit/797645 -~~	() https://vuldb.com/submit/797645 - Exploit, Third Party Advisory
References	~~() https://vuldb.com/vuln/359779 -~~	() https://vuldb.com/vuln/359779 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/vuln/359779/cti -~~	() https://vuldb.com/vuln/359779/cti - Permissions Required

27 Apr 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-27 22:16

Updated : 2026-04-30 19:26

NVD link : CVE-2026-7177

Mitre link : CVE-2026-7177

CVE.ORG link : CVE-2026-7177

JSON object : View

Products Affected

nextchat

nextchat

CWE

CWE-918

Server-Side Request Forgery (SSRF)

7.3 /10