CVE-2026-7644 Overview
CVE-2026-7644 is an improper authorization vulnerability in ChatGPTNextWeb NextChat versions up to 2.16.1. The flaw resides in the addMcpServer function within app/mcp/actions.ts, which fails to enforce proper authorization checks. Remote attackers can manipulate this function to register Model Context Protocol (MCP) servers without adequate permission validation. The vulnerability has been publicly disclosed, and exploit details are available. The maintainers were notified through a GitHub issue but have not responded at the time of disclosure, leaving deployments exposed [CWE-266].
Critical Impact
Remote attackers can abuse the addMcpServer action to bypass authorization controls in NextChat, affecting confidentiality, integrity, and availability of the application.
Affected Products
- ChatGPTNextWeb NextChat versions up to and including 2.16.1
- Deployments exposing the app/mcp/actions.tsaddMcpServer endpoint
- Self-hosted NextChat instances reachable over the network
Discovery Timeline
- 2026-05-02 - CVE-2026-7644 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7644
Vulnerability Analysis
NextChat is a cross-platform ChatGPT client that supports the Model Context Protocol (MCP) for integrating external tools and data sources. The addMcpServer function in app/mcp/actions.ts allows callers to register new MCP server entries within the application. The function does not verify whether the caller is authorized to perform server registration. As a result, unauthenticated remote actors can invoke this server action and add arbitrary MCP server configurations.
Improper authorization in MCP-related actions can have downstream consequences. MCP servers act as trusted tool providers within the NextChat runtime. Adding unauthorized servers can influence which tools the assistant invokes, what data it forwards, and how it processes user prompts. The issue maps to CWE-266 (Incorrect Privilege Assignment).
Root Cause
The root cause is missing or inadequate authorization logic inside the addMcpServer server action. The function executes the privileged registration operation without validating the caller's identity, role, or session context. Any client able to reach the endpoint can trigger the action.
Attack Vector
The attack is network-based and requires no authentication, no privileges, and no user interaction. An attacker sends a crafted request to the NextChat backend invoking the addMcpServer server action with attacker-controlled MCP server parameters. Public exploitation details have been released through VulDB and the upstream GitHub issue tracker. See the GitHub Issue #6757 and VulDB Vulnerability #360756 for technical specifics. No verified proof-of-concept code is reproduced here.
Detection Methods for CVE-2026-7644
Indicators of Compromise
- Unexpected MCP server entries appearing in NextChat configuration or persistent storage
- Outbound connections from the NextChat host to unfamiliar MCP endpoints or domains
- Unauthenticated POST requests to NextChat server actions corresponding to addMcpServer
- Anomalous tool invocations within chat sessions referencing newly added MCP integrations
Detection Strategies
- Inspect application logs for invocations of the addMcpServer action originating from sessions without authenticated users.
- Diff stored MCP server lists against a known-good baseline and alert on additions that lack a corresponding administrative change ticket.
- Monitor reverse proxy or web application firewall logs for direct calls to NextChat server action endpoints from external IP addresses.
Monitoring Recommendations
- Forward NextChat application logs and host network telemetry to a centralized analytics platform for correlation and retention.
- Alert on new outbound connections from the NextChat process to non-allowlisted MCP server hosts.
- Track changes to app/mcp/ configuration files using file integrity monitoring.
How to Mitigate CVE-2026-7644
Immediate Actions Required
- Restrict network exposure of NextChat instances to trusted users via VPN, reverse-proxy authentication, or IP allowlisting.
- Disable or remove the MCP feature in deployments that do not require it until an upstream fix is available.
- Audit existing MCP server registrations and remove any entries that cannot be attributed to authorized administrators.
- Rotate any API keys, tokens, or credentials accessible to the NextChat process if unauthorized MCP servers were detected.
Patch Information
No official patch is available at the time of publication. According to the CVE record, the upstream project was notified through a GitHub issue but has not yet responded. Track the NextChat GitHub repository and Issue #6757 for fix announcements, and upgrade beyond version 2.16.1 once a patched release is published.
Workarounds
- Place NextChat behind an authenticating reverse proxy that blocks unauthenticated requests to server action routes.
- Apply a custom authorization check to the addMcpServer handler in app/mcp/actions.ts that validates session ownership and administrative role before executing registration.
- Operate NextChat in single-user or local-only mode where remote network access to server actions is not exposed.
- Egress-filter the NextChat host so it can only reach approved MCP server destinations.
# Example reverse-proxy restriction (nginx) limiting MCP action access to an internal subnet
location /api/mcp/ {
allow 10.0.0.0/8;
deny all;
proxy_pass http://nextchat_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
