Skip to main content

AI Assist for Customer CVE-2026-57475

| EUVDEUVD-2026-42975 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-07-10 cisa-cg GHSA-23xg-h5j2-8fcf
6.9
CVSS 4.0 · Vendor: cisa-cg
Share

Severity by source

Vendor (cisa-cg) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-accessible with no auth required per description and PR:N in source vector; scope unchanged, no confidentiality or availability impact; low integrity write only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (cisa-cg).

CVSS VectorVendor: cisa-cg

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 10, 2026 - 19:01 EUVD
Analysis Generated
Jul 10, 2026 - 18:34 vuln.today
CVSS changed
Jul 10, 2026 - 18:22 NVD
5.3 (MEDIUM) 6.9 (MEDIUM)

DescriptionCVE.org

Deloitte AI Assist for Customer accepted unauthenticated POST requests through public-facing API endpoints that allowed a remote attacker to make limited additions to the configuration. These additions were not used by the system. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.

AnalysisAI

Deloitte AI Assist for Customer exposed public-facing REST API endpoints that accepted unauthenticated POST requests, enabling remote attackers to inject limited additions into the application's configuration store without credentials. The root cause is CWE-306 (Missing Authentication for Critical Function), and the CVSS 4.0 vector (PR:N/AV:N/AC:L) confirms zero-friction remote exploitation against default deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed AI Assist API base URL
Delivery
Send unauthenticated HTTP POST to configuration endpoint
Exploit
Inject limited configuration additions
Execution
Additions written to configuration store
Impact
System ignores injected data, no operational effect

Vulnerability AssessmentAI

Exploitation No authentication is required - the CVSS 4.0 vector confirms PR:N, meaning exploitation is fully unauthenticated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.9 (Medium) reflects genuinely accessible, low-friction exploitation: the attack vector is network (AV:N), complexity is low (AC:L), and no privileges or user interaction are required (PR:N/UI:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker identifies a publicly reachable AI Assist for Customer deployment, then sends crafted HTTP POST requests directly to the exposed configuration API endpoints - requiring no credentials, tokens, or prior access. The attacker successfully writes limited entries into the configuration store. …
Remediation On 2026-03-25, Deloitte remediated this vulnerability by restricting network access to the previously exposed endpoints and enforcing authentication for all affected API paths. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57475 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy