Skip to main content

Simplechat CVE-2026-57206

| EUVDEUVD-2026-44942 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-07-16 GitHub_M
8.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 17:03 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 15:52 vuln.today
Analysis Generated
Jul 16, 2026 - 15:52 vuln.today
CVE Published
Jul 16, 2026 - 15:17 cve.org
HIGH 8.6

DescriptionCVE.org

SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.206, several plugin validation routes in application/single_app/plugin_validation_endpoint.py, including POST /api/admin/plugins/test-instantiation, GET /api/admin/plugins/health-check/<plugin_name>, POST /api/admin/plugins/repair/<plugin_name>, and POST /api/plugins/validate, relied on @swagger_route(security=get_auth_security()) documentation without enforcing @login_required, @user_required, or @admin_required at runtime, allowing unauthenticated or unauthorized clients to invoke plugin validation, health, and repair behavior. This issue is fixed in version 0.241.206.

AnalysisAI

Missing authentication in Microsoft SimpleChat (prior to 0.241.206) lets remote, unauthenticated clients invoke administrative plugin validation, health-check, and repair endpoints that were documented as protected but never enforced authentication at runtime. Any network-reachable attacker can trigger plugin instantiation, health probing, and repair actions without login or admin rights. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours, audit all internet-exposed SimpleChat instances and document network topology; immediately implement network-level access restrictions to administrative endpoints using firewall rules or Web Application Firewall (WAF) policies. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57206 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy