High severity7.3NVD Advisory· Published Jun 1, 2026

CVE-2026-10214

Description

Unauthenticated remote code execution in chatgpt-on-wechat <=2.0.8 via Bash tool blocklist bypass; fixed in 2.0.9.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated remote code execution in chatgpt-on-wechat <=2.0.8 via Bash tool blocklist bypass; fixed in 2.0.9.

Vulnerability

A command injection vulnerability exists in zhayujie chatgpt-on-wechat up to version 2.0.8. The flaw resides in the _get_safety_warning function of /agent/tools/bash/bash.py within the Bash Tool component. The safety filter relies on a trivial blocklist of only 10 exact-match strings (e.g., rm -rf /, shutdown), which can be easily bypassed. The Bash tool is auto-loaded by default when the agent mode is enabled (the default configuration) [2].

Exploitation

An unauthenticated attacker can send crafted prompts to the /message HTTP endpoint (port 9899, no password required by default). The LLM agent interprets the prompt and, if it decides to invoke the Bash tool, passes the command through the inadequate safety check. Commands not matching the 10 blocklisted strings are executed directly via subprocess.run(command, shell=True) without further sandboxing. The exploit is publicly available [2].

Impact

Successful exploitation allows arbitrary OS command execution under the privileges of the bot process (commonly root in Docker deployments). An attacker can read/write files, install malware, or pivot to other systems, leading to full compromise of the host [2].

Mitigation

The vulnerability is fixed in version 2.0.9 [3]. The patch (commit 16d9b449c9aa53ccee44144a762a2737d7ba4fc4) also changes the default web_host from 0.0.0.0 to 127.0.0.1 to reduce remote attack surface [1]. Users should upgrade to 2.0.9 and, if public access is required, set web_host to 0.0.0.0 and configure a strong web_password [3]. No workaround is available for versions prior to 2.0.9.

References

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Zhayujie/Cowagentreferences2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=2.0.8

Patches

16d9b449c9aa

feat(web): set the web_host to the default value of 127.0.0.1

https://github.com/zhayujie/cowagentzhayujieMay 16, 2026via nvd-ref

commit

6 files changed · +19 −17

channel/web/web_channel.py+7 −5 modified

@@ -696,10 +696,10 @@ def chat_page(self):
             return f.read()
 
     def startup(self):
-        host = conf().get("web_host", "0.0.0.0")
+        configured_host = conf().get("web_host", "")
+        host = configured_host or ("0.0.0.0" if _is_password_enabled() else "127.0.0.1")
         port = conf().get("web_port", 9899)
-        # Treat wildcard binds as public exposure for the security hint below.
-        is_public_bind = host in ("0.0.0.0", "", "::")
+        is_public_bind = host in ("0.0.0.0", "::")
 
         # 打印可用渠道类型提示
         logger.info(
@@ -716,9 +716,11 @@ def startup(self):
         logger.info("[WebChannel] ✅ Web控制台已运行")
         logger.info(f"[WebChannel] 🌐 本地访问: http://localhost:{port}")
         if is_public_bind:
-            logger.info(f"[WebChannel] 🌍 服务器访问: http://YOUR_IP:{port} (请将YOUR_IP替换为服务器IP)")
+            logger.info(f"[WebChannel] 🌍 服务器访问: http://YOUR_IP:{port} (将YOUR_IP替换为服务器IP)")
             if not _is_password_enabled():
-                logger.info("[WebChannel] 提示：当前未设置 web_password，如需公网部署请配置访问密码")
+                logger.info("[WebChannel] ⚠️  当前监听 0.0.0.0 且未设置 web_password，公网部署建议在 config.json 中配置访问密码")
+        else:
+            logger.info(f"[WebChannel] 🔒 当前仅监听 {host}，仅本机可访问。如需公网访问，请将 web_host 改为 0.0.0.0 并配置 web_password 密码")
 
         try:
             import webbrowser

config.py+1 −1 modified

@@ -205,7 +205,7 @@
     "Minimax_base_url": "",
     "deepseek_api_key": "",
     "deepseek_api_base": "https://api.deepseek.com/v1",
-    "web_host": "0.0.0.0",  # Web console bind address; set to "127.0.0.1" to restrict access to localhost only
+    "web_host": "",  # Web console bind address; empty means auto
     "web_port": 9899,
     "web_password": "",  # Web console password; empty means no authentication required
     "web_session_expire_days": 30,  # Auth session expiry in days

config-template.json+1 −0 modified

@@ -31,6 +31,7 @@
   "dingtalk_client_secret": "",
   "wecom_bot_id": "",
   "wecom_bot_secret": "",
+  "web_host": "",
   "web_password": "",
   "agent": true,
   "agent_max_context_tokens": 50000,

docker/docker-compose.yml+2 −0 modified

@@ -37,6 +37,8 @@ services:
       DINGTALK_CLIENT_SECRET: ''
       WECOM_BOT_ID: ''
       WECOM_BOT_SECRET: ''
+      # 如需通过宿主机访问 Web 控制台，改为 '0.0.0.0' 并设置 WEB_PASSWORD
+      WEB_HOST: '127.0.0.1'
       WEB_PASSWORD: ''
       AGENT: 'True'
       AGENT_MAX_CONTEXT_TOKENS: 50000

docs/channels/web.mdx+2 −6 modified

@@ -20,18 +20,14 @@ Web 控制台是 CowAgent 的默认通道，启动后会自动运行，通过浏
 | 参数 | 说明 | 默认值 |
 | --- | --- | --- |
 | `channel_type` | 设为 `web` | `web` |
-| `web_host` | Web 服务监听地址，设为 `127.0.0.1` 表示仅本机可访问 | `0.0.0.0` |
+| `web_host` | Web 服务监听地址，默认监听 `127.0.0.1`（仅本机），如需公网访问请改为 `0.0.0.0` 并设置密码 | `""` |
 | `web_port` | Web 服务监听端口 | `9899` |
-| `web_password` | 访问密码，留空表示不启用密码保护 | `""` |
+| `web_password` | 访问密码，留空表示不启用密码保护；监听 `0.0.0.0` 时建议设置 | `""` |
 | `web_session_expire_days` | 登录会话有效天数 | `30` |
 | `enable_thinking` | 是否启用深度思考模式 | `false` |
 
 配置密码后，访问控制台时需先输入密码完成登录。登录状态默认保持 30 天，期间重启服务也无需重新登录。密码也支持在控制台的「配置」页面中在线修改。
 
-<Note>
-  默认监听 `0.0.0.0`（所有网卡可访问），方便本机和局域网/服务器场景开箱即用。**部署到公网时务必设置 `web_password`**，或将 `web_host` 改为 `127.0.0.1` 仅允许本机访问。控制台启动时会自动检测并提示这一风险。
-</Note>
-
 ## 访问地址
 
 启动项目后访问：

README.md+6 −5 modified

@@ -204,8 +204,7 @@ cow install-browser
   "group_speech_recognition": false,                          # 是否开启群组语音识别
   "voice_reply_voice": false,                                 # 是否使用语音回复语音
   "use_linkai": false,                                        # 是否使用 LinkAI 接口，默认关闭，设置为 true 后可对接 LinkAI 平台模型
-  "web_host": "0.0.0.0",                                      # Web 控制台监听地址，设为 "127.0.0.1" 表示仅本机可访问
-  "web_password": "",                                         # Web 控制台访问密码，留空则不启用密码保护（公网部署强烈建议设置）
+  "web_password": "",                                         # Web 控制台访问密码，留空则不启用密码保护（监听 0.0.0.0 时务必设置）
   "agent": true,                                              # 是否启用 Agent 模式，启用后拥有多轮工具决策、长期记忆、Skills 能力等
   "agent_workspace": "~/cow",                                 # Agent 的工作空间路径，用于存储 memory、skills、系统设定等
   "agent_max_context_tokens": 50000,                          # Agent 模式下最大上下文 tokens，超出将自动智能压缩处理
@@ -716,14 +715,16 @@ Coding Plan 是各厂商推出的编程包月套餐，所有厂商均可通过 O
 ```json
 {
     "channel_type": "web",
+    "web_host": "0.0.0.0",
+    "web_password": "YOUR PASSWORD",
     "web_port": 9899
 }
 ```
 
-- `web_host`: 默认为 `0.0.0.0`（所有网卡可访问），如只在本机使用可改为 `127.0.0.1` 仅监听本地
+- `web_host`: 监听地址，默认 `127.0.0.1`（仅本机），如需公网访问请改为 `0.0.0.0` 并设置密码
 - `web_port`: 默认为 9899，可按需更改，需要服务器防火墙和安全组放行该端口
-- `web_password`: 访问密码，留空则不启用密码保护。部署在公网环境时建议设置
-- 如本地运行，启动后请访问 `http://localhost:9899/chat` ；如服务器运行，请访问 `http://ip:9899/chat` 
+- `web_password`: 访问密码，留空则不启用密码保护。部署在公网环境时请务必设置
+- 如本地运行，启动后请访问 `http://localhost:9899` ；如服务器运行，请访问 `http://YOUR_IP:9899`
 > 注：请将上述 url 中的 ip 或者 port 替换为实际的值
 </details>

Vulnerability mechanics

Root cause

"The Bash tool's safety filter relies on a trivial exact-match blocklist that can be easily bypassed, and commands are executed via unsandboxed `subprocess.run(command, shell=True)`."

Attack vector

An unauthenticated attacker sends a crafted prompt to the `/message` endpoint of the web console (default port 9899). The LLM agent interprets the prompt and invokes the Bash tool, which checks the command against a 10-entry exact-match blocklist. Because the blocklist is trivial, the attacker can bypass it with slightly altered payloads (e.g., file reads, cron injection, downloading binaries). The command is then executed via `subprocess.run(command, shell=True)` without further sanitization [ref_id=2].

Affected code

The vulnerability resides in the Bash Tool (`agent/tools/bash/bash.py`). The `_get_safety_warning` method uses a trivial blocklist of exact-match strings, and the `execute` method passes commands directly to `subprocess.run(command, shell=True)` without sandboxing [ref_id=2]. The web channel (`channel/web/web_channel.py`) listens on `0.0.0.0:9899` by default and accepts unauthenticated POST requests on `/message`, making the tool reachable from the network [ref_id=2].

What the fix does

The patch changes the default `web_host` from `0.0.0.0` to `127.0.0.1` (or auto-selects `127.0.0.1` when no password is set), preventing the web console from being exposed to the network by default [patch_id=4023024]. It also adds stronger warnings in logs and documentation about setting a password when binding to `0.0.0.0`. However, the patch does not address the root cause — the trivial blocklist and unsandboxed `subprocess.run(shell=True)` in the Bash tool itself; it only reduces the attack surface by restricting network access.

Preconditions

configThe agent feature must be enabled (default in config-template.json)
configA valid LLM API key must be configured for the bot to process prompts
networkThe web channel must be accessible on the network (default port 9899, previously bound to 0.0.0.0 by default)
authNo authentication is required on the /message endpoint

Reproduction

The advisory includes a PoC with reproduction steps: deploy the Docker Compose file, run `poc.py` inside the container to verify safety filter bypass, then run `exploit.py` externally to send crafted prompts to the `/message` endpoint and execute arbitrary commands [ref_id=2].

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000