Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Primary rating from Vendor (GitHub_M) · only source for this CVE.
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.206, several plugin validation routes in application/single_app/plugin_validation_endpoint.py, including POST /api/admin/plugins/test-instantiation, GET /api/admin/plugins/health-check/<plugin_name>, POST /api/admin/plugins/repair/<plugin_name>, and POST /api/plugins/validate, relied on @swagger_route(security=get_auth_security()) documentation without enforcing @login_required, @user_required, or @admin_required at runtime, allowing unauthenticated or unauthorized clients to invoke plugin validation, health, and repair behavior. This issue is fixed in version 0.241.206.
AnalysisAI
Missing authentication in Microsoft SimpleChat (prior to 0.241.206) lets remote, unauthenticated clients invoke administrative plugin validation, health-check, and repair endpoints that were documented as protected but never enforced authentication at runtime. Any network-reachable attacker can trigger plugin instantiation, health probing, and repair actions without login or admin rights. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours, audit all internet-exposed SimpleChat instances and document network topology; immediately implement network-level access restrictions to administrative endpoints using firewall rules or Web Application Firewall (WAF) policies. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Simplechat
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44942