PatchSiren cyber security CVE debrief
CVE-2026-10214 zhayujie CVE debrief
A command injection vulnerability exists in the Bash Tool component of zhayujie chatgpt-on-wechat (also referenced as CowAgent) versions up to and including 2.0.8. The weakness is located in the `_get_safety_warning` function within `agent/tools/bash/bash.py`. An attacker can exploit this flaw remotely through crafted input manipulation to achieve operating system command injection. The vulnerability has been publicly disclosed with exploit availability noted. A fix is available in version 2.0.9 via commit `16d9b449c9aa53ccee44144a762a2737d7ba4fc4`. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and no user interaction needed, resulting in a MEDIUM severity score of 5.5. The weakness classifications include CWE-77 (Command Injection) and CWE-78 (OS Command Injection). Vendor attribution carries low confidence based on reference domain analysis and requires review.
- Vendor
- zhayujie
- Product
- chatgpt-on-wechat
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations and individuals running zhayujie chatgpt-on-wechat (CowAgent) versions ≤2.0.8 with the Bash Tool enabled, particularly deployments exposed to untrusted input or network-accessible interfaces.
Technical summary
The vulnerability resides in the `_get_safety_warning` function of `agent/tools/bash/bash.py` in the Bash Tool component. Insufficient input sanitization allows remote attackers to inject and execute arbitrary operating system commands. The attack requires no authentication or user interaction and can be conducted over the network. The fix in version 2.0.9 addresses the injection vector.
Defensive priority
medium
Recommended defensive actions
- Upgrade zhayujie chatgpt-on-wechat (CowAgent) to version 2.0.9 or later to remediate the command injection vulnerability
- Review and restrict network exposure of chatgpt-on-wechat instances where the Bash Tool component is enabled
- Monitor for unauthorized command execution attempts if immediate patching is not feasible
- Validate vendor attribution independently given the low-confidence vendor classification in source data
Evidence notes
CVE published 2026-06-01. Exploit publicly available per source description. Patch commit and release tag confirmed in source references. Vendor field marked low confidence with review flag.
Official resources
public