High severity7.3NVD Advisory· Published Mar 27, 2026· Updated Apr 29, 2026

CVE-2026-4959

Description

A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interaction_id results in missing authentication. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected products

Openbmb/Xagent
cpe:2.3:a:openbmb:xagent:1.0.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gist.github.com/YLChen-007/531ec6b169f4b9ecbc8c2f0b2cd7c5eenvdExploitThird Party Advisory
vuldb.comnvdIssue TrackingThird Party Advisory
vuldb.comnvdPermissions RequiredVDB Entry
vuldb.comnvdPermissions RequiredVDB Entry

News mentions

Sednit reloaded: Back in the trenches
ESET WeLiveSecurity · Mar 10, 2026

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000