Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible unauthenticated API discloses configuration only; no scope change, integrity, or availability impact warranting C:L/I:N/A:N/S:U.
Primary rating from Vendor (cisa-cg).
CVSS VectorVendor: cisa-cg
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Deloitte AI Assist for Customer disclosed some configuration information through public-facing API endpoints that accepted unauthenticated requests. This information could reduce an attacker’s reconnaissance effort. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.
AnalysisAI
Configuration information disclosure in Deloitte AI Assist for Customer exposed internal system details through unauthenticated, publicly accessible API endpoints, reducing attacker reconnaissance effort. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L) confirms remote, low-complexity, unauthenticated access, though impact is bounded to low confidentiality exposure with no integrity or availability consequence. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required to trigger information disclosure - the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms unauthenticated remote exploitation against all configurations of Deloitte AI Assist for Customer prior to the 2026-03-25 remediation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 6.9 reflects the low-barrier access path (unauthenticated, network-accessible, low complexity) offset by a constrained impact envelope (VC:L, VI:N, VA:N, SC:N, SI:N, SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated external attacker sends HTTP GET requests to the documented or discoverable public API endpoints of Deloitte AI Assist for Customer and receives configuration responses containing internal service identifiers, endpoint URLs, or system metadata. The attacker uses this information to map the application's internal architecture without needing credentials, reducing the time and effort required to plan a more targeted follow-on attack such as credential stuffing, API abuse, or lateral movement. … |
| Remediation | Deloitte resolved the vulnerability on 2026-03-25 through two server-side controls: restricting network access to the previously public API endpoints and enforcing authentication on those endpoints. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Ai Assist For Customer
View allDeloitte AI Assist for Customer exposed public-facing REST API endpoints that accepted unauthenticated POST requests, en
Unauthenticated API endpoints in Deloitte AI Assist for Customer exposed the platform's retrieval-augmented generation c
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42974
GHSA-fphv-wg9q-66c2