Skip to main content

DeepTutor CVE-2026-58168

| EUVDEUVD-2026-40375 HIGH
Missing Authorization (CWE-862)
2026-06-30 VulnCheck GHSA-jg88-rvpc-qvxj
7.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable and low-complexity but requires an authenticated low-privilege session (PR:L); abusing shell/filesystem MCP servers yields full host C/I/A impact within the same authorization scope (S:U).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Source Code Evidence Fetched
Jun 30, 2026 - 17:40 vuln.today
Analysis Updated
Jun 30, 2026 - 17:40 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 17:39 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 17:22 NVD
8.8 (HIGH) 7.7 (HIGH)
Analysis Generated
Jun 30, 2026 - 17:16 vuln.today

DescriptionCVE.org

DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowed_mcp_tools function returning None instead of a denied result when mcp_tools is omitted from a user's grant in deeptutor/multi_user/tool_access.py. Attackers or prompt-injected content acting within a user session can enumerate and invoke any configured MCP tool, including filesystem, shell, and browser servers, gaining unauthorized access to sensitive deployment resources.

AnalysisAI

Privilege escalation via missing authorization in HKUDS DeepTutor before 1.4.10 lets any authenticated low-privilege user invoke deployment-wide MCP (Model Context Protocol) tools they were never granted. The root cause is the allowed_mcp_tools function in deeptutor/multi_user/tool_access.py returning None (interpreted as 'allow all') instead of a denied result when the mcp_tools key is omitted from a user's grant, so a regular user - or prompt-injected content running inside their session - can enumerate and call filesystem, shell, and browser MCP servers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege user
Delivery
Enumerate MCP tools via fail-open grant
Exploit
Invoke shell/filesystem MCP server
Execution
Execute commands and read host resources
Impact
Exfiltrate sensitive deployment data

Vulnerability AssessmentAI

Exploitation Requires an authenticated low-privilege (non-admin) user session in a DeepTutor multi-user deployment (PR:L) AND that the targeted user's grant omits the mcp_tools field - which is the default/insecure state, so the condition is commonly satisfied. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderate and broadly consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privilege user (or attacker who has obtained any non-admin account) logs into a multi-user DeepTutor instance whose grant omits mcp_tools, then enumerates and invokes the shell or filesystem MCP server to read secrets or run commands on the host. Equally plausible without a malicious human: attacker-controlled content (a document or page) processed in a victim's session triggers prompt injection that calls those same tools. …
Remediation Vendor-released patch: upgrade to DeepTutor v1.4.10 or later (release: https://github.com/HKUDS/DeepTutor/releases/tag/v1.4.10; fix commit 90046374b3dcd4f8a866d2d64a64440bc08eb2ef via PR https://github.com/HKUDS/DeepTutor/pull/579), which makes MCP tools deny-by-default for non-admin users; the upgrade is described as drop-in with no migration required. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all HKUDS DeepTutor instances for version status and identify multi-user deployments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58168 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy