CVE-2026-7846 Overview
CVE-2026-7846 is a time-of-check time-of-use (TOCTOU) race condition affecting chatchat-space Langchain-Chatchat versions up to 0.3.1.3. The flaw resides in the files function within libs/chatchat-server/chatchat/server/api_server/openai_routes.py, which implements the OpenAI-Compatible File Upload API. Manipulation of the file.filename argument introduces a race window between filename validation and file write operations. Exploitation requires adjacent network access and a high level of attack complexity, making practical abuse difficult. The issue is tracked as [CWE-362] (Concurrent Execution using Shared Resource with Improper Synchronization). A public proof-of-concept has been disclosed, and the maintainers were notified through a GitHub issue but have not responded.
Critical Impact
An attacker on the local network with low privileges can race the file upload validation logic to silently overwrite files handled by the Langchain-Chatchat OpenAI-compatible endpoint.
Affected Products
- chatchat-space Langchain-Chatchat versions up to and including 0.3.1.3
- Component: OpenAI-Compatible File Upload API (libs/chatchat-server/chatchat/server/api_server/openai_routes.py)
- Vulnerable function: files (argument file.filename)
Discovery Timeline
- 2026-05-05 - CVE-2026-7846 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7846
Vulnerability Analysis
The vulnerability is a classic TOCTOU race condition. The files handler in openai_routes.py validates properties of file.filename at one point and later acts on the same filename when writing to disk. Between those two operations, an attacker on the adjacent network can change the conditions the application relied upon. This violates the assumption that the checked state remains valid through the use phase. The result is silent file overwrite within the directory the upload handler controls. Because the bug requires precise timing and adjacent network positioning, exploitation is non-trivial. Refer to the GitHub PoC writeup for the disclosed proof-of-concept.
Root Cause
The root cause is the absence of atomic handling of file.filename between validation and persistence. The handler treats the filename as stable across the lifecycle of the request, but the value or the underlying filesystem entry can be influenced concurrently. No locking, atomic rename, or canonicalization step prevents the interleaved state change.
Attack Vector
An authenticated low-privilege user on the same adjacent network must issue concurrent upload requests timed to win the race. The attacker manipulates file.filename to target a file that the API handler will subsequently write to or replace. Successful exploitation results in silent overwrite of the targeted file, with limited integrity impact and no direct confidentiality or availability impact, per the published vector.
No verified code example is available. The vulnerability mechanism is described in the public PoC repository and the VulDB entry #361125.
Detection Methods for CVE-2026-7846
Indicators of Compromise
- Unexpected modification timestamps on files within the Langchain-Chatchat upload directory served by the OpenAI-compatible endpoint.
- Multiple concurrent POST requests to the /v1/files route from the same adjacent-network source within tight time windows.
- Upload requests where file.filename contains values that resolve to existing server-managed files.
Detection Strategies
- Enable verbose request logging on the Langchain-Chatchat API server and correlate filename values across overlapping requests to identify race attempts.
- Apply file integrity monitoring (FIM) to the upload storage path to flag overwrites of files not expected to change.
- Hunt for bursts of upload API calls originating from a single internal host, which can indicate race-window probing.
Monitoring Recommendations
- Forward Langchain-Chatchat application logs and host filesystem audit events to a centralized analytics platform for correlation.
- Alert on filesystem writes to the chatchat upload directory that occur outside expected user workflows.
- Track authenticated API sessions issuing high-rate concurrent uploads as a behavioral signal.
How to Mitigate CVE-2026-7846
Immediate Actions Required
- Restrict network access to the Langchain-Chatchat API so only trusted clients on segmented networks can reach the file upload endpoint.
- Disable or gate the OpenAI-compatible file upload route if it is not required by your deployment.
- Audit the upload directory for unexpected file modifications and restore known-good content from backup where needed.
Patch Information
No vendor patch has been published. The maintainers were notified through GitHub issue #5463 but have not responded as of the NVD publication. Track the Langchain-Chatchat repository for future fixes.
Workarounds
- Place the API behind an authenticating reverse proxy that enforces strict allow-lists for file.filename values and rejects path-like or duplicate names.
- Run the chatchat server under a low-privilege account with write access limited to a dedicated upload directory containing no sensitive files.
- Enforce request rate limits and per-user concurrency caps on the upload route to shrink the exploitable race window.
# Example: limit concurrent uploads per source via nginx in front of Langchain-Chatchat
limit_req_zone $binary_remote_addr zone=chatchat_uploads:10m rate=2r/s;
location /v1/files {
limit_req zone=chatchat_uploads burst=2 nodelay;
limit_conn addr 1;
proxy_pass http://127.0.0.1:8000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
