CVE-2026-10214: Command Injection in chatgpt-on-wechat Bash Tool
A command injection vulnerability exists in the Bash Tool component of chatgpt-on-wechat versions up to 2.0.8. An attacker can remotely exploit a flaw in the _get_safety_warning function to execute arbitrary operating system commands without authentication. This issue is being actively exploited in the wild. Organizations using affected versions should prioritize upgrading to 2.0.9 immediately.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-77, CWE-78
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in zhayujie chatgpt-on-wechat up to 2.0.8. This issue affects the function _get_safety_warning of the file agent/tools/bash/bash.py of the component Bash Tool. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.0.9 is capable of addressing this issue. This patch is called 16d9b449c9aa53ccee44144a762a2737d7ba4fc4. It is recommended to upgrade the affected component.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the agent/tools/bash/bash.py file, specifically within the _get_safety_warning function of the Bash Tool component. The flaw allows improper neutralization of special elements used in an OS command (CWE-78), which stems from insufficient input validation (CWE-77). An unauthenticated remote attacker can craft malicious input that breaks out of the intended command context and inject arbitrary shell commands. The vulnerability requires no special privileges or user interaction to exploit, making it trivial to weaponize. The attack surface is network-accessible, and public exploit code is already available.
Business impact
This vulnerability enables unauthorized command execution on systems running vulnerable versions of chatgpt-on-wechat. An attacker gaining code execution can steal sensitive data, modify application behavior, establish persistence, or pivot to internal systems. For organizations using this tool in production or development environments, the risk is particularly acute if the service runs with elevated privileges or accesses confidential information. The presence of public exploits dramatically increases the likelihood of active exploitation, raising incident response and potential breach notification costs.
Affected systems
zhayujie chatgpt-on-wechat versions up to and including 2.0.8 are affected. The Bash Tool component is the attack vector. Any deployment running these versions is vulnerable if the Bash Tool is enabled or accessible. Organizations should audit their environment to confirm installed versions and the operational status of the Bash Tool.
Exploitability
This vulnerability carries a CVSS 3.1 score of 7.3 (HIGH severity). The attack requires no authentication, no user interaction, and only network access—all factors lowering the barrier to exploitation. The Network Access vector (AV:N), Low complexity (AC:L), and no privileges required (PR:N) make this a straightforward remote exploit. Public exploits are already available, eliminating the need for attackers to develop working code independently. The combination of low friction and active exploitation in the wild indicates this threat should be treated with urgency.
Remediation
Upgrade chatgpt-on-wechat to version 2.0.9 or later. The patch commit hash is 16d9b449c9aa53ccee44144a762a2737d7ba4fc4, which addresses the command injection in the _get_safety_warning function. Verify that the upgrade is applied across all instances, including development, staging, and production environments. If immediate upgrading is not feasible, consider disabling the Bash Tool component until patching can be completed.
Patch guidance
Deploy version 2.0.9 of chatgpt-on-wechat as soon as possible. Review vendor release notes and any breaking changes associated with this version. Test the patch in a non-production environment first to ensure compatibility with your deployment. Verify the patch commit (16d9b449c9aa53ccee44144a762a2737d7ba4fc4) matches your installed version to confirm successful patching. Monitor application logs post-upgrade for any anomalies. Consider enabling automated dependency scanning to detect future vulnerable versions early.
Detection guidance
Hunt for exploitation attempts by monitoring application and system logs for unusual command execution patterns originating from the chatgpt-on-wechat process, particularly involving shell metacharacters or unexpected system commands. Search for HTTP requests or API calls to the affected Bash Tool endpoint containing encoded or obfuscated payloads. Monitor process trees for child processes spawned by the application that are inconsistent with normal operation. Implement network intrusion detection signatures targeting known public exploits for this vulnerability. Check audit logs for file modifications or privilege escalations coinciding with suspicious application behavior.
Why prioritize this
This vulnerability merits immediate attention due to the combination of high CVSS score (7.3), unauthenticated remote exploitability, active public exploitation, and the severity of command injection impacts. The low complexity and absence of required privileges mean almost any network-connected attacker can weaponize this vulnerability. Organizations should treat this as a critical patch priority and deploy remediation within 24-48 hours if operationally feasible.
Risk score, explained
The CVSS 3.1 score of 7.3 reflects the critical exploitability factors: network accessibility (AV:N), low attack complexity (AC:L), no authentication required (PR:N), and no user interaction needed (UI:N). The impact scope is unchanged (S:U), but the confidentiality, integrity, and availability impacts are all rated as Low (C:L/I:L/A:L), meaning a compromised system experiences some degradation across all three pillars. In real-world context, the score is amplified by the presence of public exploits and active exploitation, warranting treatment as a higher-priority issue than the numeric score alone suggests.
Frequently asked questions
What does the Bash Tool component do?
The Bash Tool in chatgpt-on-wechat allows the AI agent to execute shell commands on the underlying system. This is useful for automation and integration but introduces significant security risk if input is not properly validated. The vulnerability demonstrates why command execution capabilities must be carefully guarded and input strictly sanitized.
Can this vulnerability be exploited if we disable the Bash Tool?
Yes, if the Bash Tool is exposed via a network endpoint, the vulnerability can likely still be triggered even if execution is theoretically disabled. The safest interim mitigation is to upgrade to 2.0.9. If you must delay upgrading, confirm that the Bash Tool endpoint is not accessible from untrusted networks.
How do we know if we've been exploited?
Review application and system logs for suspicious command execution, unexpected processes, or file modifications coinciding with the publication date (2026-06-01) or afterward. Check for authentication bypass attempts or lateral movement artifacts. If you detect command execution through the Bash Tool that your team did not authorize, assume compromise and initiate incident response procedures immediately.
Does this affect only production deployments?
No. Development and staging environments running vulnerable versions are equally at risk. Attackers frequently target non-production systems as a foothold to learn the environment or establish persistence before attacking production. Patch all environments consistently.
This analysis is based on publicly available information about CVE-2026-10214 as of the publication date. Vulnerability details, exploitability, and patch availability are subject to change. Organizations should verify patch applicability and compatibility with their specific deployment architecture. This document does not constitute legal, compliance, or official incident response guidance; consult your security team and vendor for definitive remediation steps. SEC.co makes no warranty regarding the accuracy or completeness of this intelligence and disclaims liability for any damage resulting from reliance on this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability
- CVE-2026-10273HIGHRemote Code Execution in php-censor Webhook Handler
- CVE-2026-10870HIGHShibby Tomato 1.28.0000 OS Command Injection Vulnerability
- CVE-2026-10871HIGHShibby Tomato Remote Command Injection via IPv6 6rd Parameter
- CVE-2026-10872HIGHOS Command Injection in Shibby Tomato 1.28.0000 Web UI
- CVE-2026-10873HIGHOS Command Injection in Shibby Tomato 1.28.0000 Web UI
- CVE-2026-10279MEDIUMOS Command Injection in wezterm-mcp 0.1.0
- CVE-2024-52011HIGHCommand Injection in launch-editor via Malicious Filenames on Windows