Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

Vulnerability IntelligenceCVE-2026-4959

CVE-2026-4959

HIGH7.3

OpenBMB XAgent ShareServer WebSocket Endpoint share.py check_user missing authentication

Published Mar 27, 2026

Modified 1 months ago

Details

A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interaction_id results in missing authentication. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

https://gist.github.com/YLChen-007/531ec6b169f4b9ecbc8c2f0b2cd7c5ee

https://vuldb.com/?ctiid.353836

https://vuldb.com/?id.353836

https://vuldb.com/?submit.777622

https://www.cve.org/CVERecord?id=CVE-2026-4959

CVSS Analysis

CVSS v4.0

6.9

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Vulnerable System

Vuln. Confidentiality

LowVC:L

Vuln. Integrity

LowVI:L

Vuln. Availability

LowVA:L

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

6.9/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Weakness Type (CWE)

Authentication

Improper Authentication

Missing Authentication

Ecosystems

Timeline

PublishedMar 27, 2026

ModifiedMar 31, 2026

CVE-2026-4959 | Mondoo Vulnerability Intelligence