Skip to main content

AI Assist for Customer CVE-2026-57474

| EUVDEUVD-2026-42974 MEDIUM
Information Exposure (CWE-200)
2026-07-10 cisa-cg GHSA-fphv-wg9q-66c2
6.9
CVSS 4.0 · Vendor: cisa-cg
Share

Severity by source

Vendor (cisa-cg) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-accessible unauthenticated API discloses configuration only; no scope change, integrity, or availability impact warranting C:L/I:N/A:N/S:U.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (cisa-cg).

CVSS VectorVendor: cisa-cg

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 10, 2026 - 19:01 EUVD
Analysis Generated
Jul 10, 2026 - 18:35 vuln.today
CVSS changed
Jul 10, 2026 - 18:22 NVD
5.3 (MEDIUM) 6.9 (MEDIUM)

DescriptionCVE.org

Deloitte AI Assist for Customer disclosed some configuration information through public-facing API endpoints that accepted unauthenticated requests. This information could reduce an attacker’s reconnaissance effort. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.

AnalysisAI

Configuration information disclosure in Deloitte AI Assist for Customer exposed internal system details through unauthenticated, publicly accessible API endpoints, reducing attacker reconnaissance effort. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L) confirms remote, low-complexity, unauthenticated access, though impact is bounded to low confidentiality exposure with no integrity or availability consequence. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify public API endpoints via passive recon
Delivery
Send unauthenticated HTTP request to endpoint
Exploit
Receive configuration metadata in response
Execution
Extract service identifiers and internal architecture details
Impact
Use intelligence to plan targeted follow-on attack

Vulnerability AssessmentAI

Exploitation No special conditions are required to trigger information disclosure - the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms unauthenticated remote exploitation against all configurations of Deloitte AI Assist for Customer prior to the 2026-03-25 remediation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.9 reflects the low-barrier access path (unauthenticated, network-accessible, low complexity) offset by a constrained impact envelope (VC:L, VI:N, VA:N, SC:N, SI:N, SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated external attacker sends HTTP GET requests to the documented or discoverable public API endpoints of Deloitte AI Assist for Customer and receives configuration responses containing internal service identifiers, endpoint URLs, or system metadata. The attacker uses this information to map the application's internal architecture without needing credentials, reducing the time and effort required to plan a more targeted follow-on attack such as credential stuffing, API abuse, or lateral movement. …
Remediation Deloitte resolved the vulnerability on 2026-03-25 through two server-side controls: restricting network access to the previously public API endpoints and enforcing authentication on those endpoints. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57474 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy