Skip to main content

Chat2DB CVE-2026-63307

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-17 VulnCheck
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network API reachable by any authenticated low-privilege user (PR:L, AV:N, AC:L, UI:N) with high confidentiality impact from leaked credentials and no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 17, 2026 - 16:48 vuln.today
Analysis Generated
Jul 17, 2026 - 16:48 vuln.today
CVE Published
Jul 17, 2026 - 16:13 cve.org
HIGH 7.1

DescriptionCVE.org

Chat2DB before 5.3.0 contains an insecure direct object reference vulnerability in the GET /api/connection/datasource/{id} endpoint. The handler calls dataSourceService.queryExistent(id, ...) without an ownership check and returns the decrypted password field, allowing any authenticated non-admin user to enumerate datasource IDs and read the plaintext database credentials of datasources owned by other users.

AnalysisAI

Insecure direct object reference in Chat2DB before 5.3.0 lets any authenticated non-admin user read the decrypted database credentials of datasources belonging to other users by enumerating IDs against GET /api/connection/datasource/{id}. Because the handler returns the plaintext password field and omits an ownership check, a single low-privileged account can harvest every other tenant's stored connection secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege Chat2DB account
Delivery
Enumerate datasource IDs via API
Exploit
Request GET /api/connection/datasource/{id}
Execution
Read decrypted plaintext credentials
Persist
Connect to victim backend database
Impact
Exfiltrate data

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated Chat2DB account (PR:L) reachable over the network to the REST API - no admin role, no user interaction, and no non-default feature toggle is needed, since the vulnerable code path is the standard GET /api/connection/datasource/{id} handler. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, base 7.1) is internally consistent with the description: network-reachable API, low complexity, one low-privilege authenticated account, high confidentiality impact and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user with a valid Chat2DB account scripts sequential requests to GET /api/connection/datasource/1, /2, /3 … and reads the decrypted password field returned for each datasource owned by other users. Using the harvested plaintext credentials, the attacker connects directly to those backend databases and exfiltrates data. …
Remediation Vendor-released patch: upgrade to Chat2DB 5.3.0 or later (release https://github.com/OtterMind/Chat2DB/releases/tag/v5.3.0, or Docker image chat2db/chat2db:5.3.0); note that 5.3.0 is not an in-place upgrade from 0.3.x, so back up and migrate data before installing. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: immediately audit Chat2DB access logs for suspicious enumeration of /api/connection/datasource/{id} endpoints; disable Chat2DB if it accesses production databases; notify your security team and affected stakeholders. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-63307 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy