CVE-2026-7847 Overview
CVE-2026-7847 affects chatchat-space Langchain-Chatchat versions up to 0.3.1.3. The vulnerability resides in the _get_file_id function within libs/chatchat-server/chatchat/server/api_server/openai_routes.py, part of the Uploaded File Handler component. The function generates insufficiently random values [CWE-310], producing predictable file identifiers for uploaded content.
An attacker on the adjacent network can predict file IDs assigned to uploads and access content belonging to other users. Exploitation requires local network access and is rated as high complexity. The exploit has been publicly disclosed. The Langchain-Chatchat project was notified through an issue report but had not responded at the time of disclosure.
Critical Impact
Predictable file identifiers in the upload handler allow adjacent-network attackers to enumerate and retrieve files uploaded by other users of a Langchain-Chatchat instance.
Affected Products
- chatchat-space Langchain-Chatchat versions up to and including 0.3.1.3
- Component: Uploaded File Handler (openai_routes.py)
- Function: _get_file_id
Discovery Timeline
- 2026-05-05 - CVE-2026-7847 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7847
Vulnerability Analysis
The _get_file_id function in libs/chatchat-server/chatchat/server/api_server/openai_routes.py generates identifiers that lack sufficient entropy. When users upload files through the OpenAI-compatible API routes, the server assigns each file an ID derived from a weak randomness source. An attacker who can observe or guess the generation pattern can enumerate IDs and request files they did not upload.
The weakness is classified under [CWE-310] (Cryptographic Issues), specifically insufficiently random values. This category applies when an application relies on values that should be unpredictable but uses non-cryptographic randomness, sequential counters, or low-entropy inputs such as timestamps.
Exploitation requires adjacent-network access to the Langchain-Chatchat service. The attack complexity is high because the attacker must reverse-engineer or model the ID generation pattern before requesting valid identifiers.
Root Cause
The root cause is the use of an insufficiently random value generator inside _get_file_id. Secure file identifier generation requires a cryptographically strong source such as secrets.token_urlsafe or uuid.uuid4 with adequate length. When predictable inputs feed identifier construction, the resulting IDs become guessable across user sessions.
Attack Vector
An attacker positioned on the same logical network segment as the Langchain-Chatchat server interacts with the file upload and retrieval endpoints. The attacker first observes legitimate file IDs returned during their own uploads. They then model the generation algorithm and request adjacent or predicted IDs through the OpenAI-compatible routes. Successful prediction returns files uploaded by other users, breaching tenant isolation in shared deployments.
No authentication bypass is required beyond standard low-privilege access. The vulnerability does not enable code execution or data modification — only confidentiality of uploaded files is impacted.
For technical details, refer to the GitHub Vulnerability Report and the upstream tracking GitHub Chatchat Issue #5464.
Detection Methods for CVE-2026-7847
Indicators of Compromise
- Sequential or pattern-matching requests to file retrieval endpoints under /v1/files/ from a single client within a short window
- Repeated 200 OK responses on file IDs the requesting account never uploaded
- Unusual volumes of GET requests to file metadata or content routes from adjacent-network hosts
Detection Strategies
- Instrument the Langchain-Chatchat application to log every file access with both the requesting user and the file owner, then alert on mismatches
- Deploy network monitoring on the segment hosting the service to flag enumeration patterns against _get_file_id-derived endpoints
- Audit existing file IDs for entropy using statistical tests; low-entropy IDs confirm exposure to this issue
Monitoring Recommendations
- Track per-source request rates against file API routes and alert on burst access
- Forward application access logs to a centralized analytics platform for cross-user correlation
- Review historical logs for prior enumeration attempts now that the exploit is public
How to Mitigate CVE-2026-7847
Immediate Actions Required
- Restrict network access to the Langchain-Chatchat service so it is not reachable from untrusted adjacent networks
- Require authenticated sessions for file retrieval endpoints and enforce ownership checks server-side
- Rotate or invalidate existing predictable file IDs where feasible and re-issue identifiers using a secure random source
Patch Information
No official patch has been released. The Langchain-Chatchat project was informed through an issue report but had not responded at the time of CVE publication. Monitor the GitHub Chatchat Repository and GitHub Chatchat Issue #5464 for upstream fixes.
Workarounds
- Replace the _get_file_id implementation locally with secrets.token_urlsafe(32) or uuid.uuid4().hex to produce high-entropy identifiers
- Add an authorization check in file retrieval handlers that verifies the requesting user owns the file before returning content
- Place the service behind a reverse proxy that enforces authentication and rate limits per source IP
# Example reverse proxy rate limit (nginx) to slow ID enumeration
limit_req_zone $binary_remote_addr zone=chatchat_files:10m rate=10r/m;
location /v1/files/ {
limit_req zone=chatchat_files burst=5 nodelay;
proxy_pass http://127.0.0.1:7861;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
