Skip to main content

DocsGPT EUVDEUVD-2026-39983

| CVE-2026-13483 LOW
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-28 VulDB GHSA-v4h4-747p-qjgx
1.3
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

Network-reachable but requires authenticated low-privilege access and high complexity; impact is limited to low integrity with no confidentiality or availability effect.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 28, 2026 - 07:22 NVD
2.3 (LOW) 1.3 (LOW)
Source Code Evidence Fetched
Jun 28, 2026 - 06:59 vuln.today
Analysis Generated
Jun 28, 2026 - 06:59 vuln.today

DescriptionCVE.org

A flaw has been found in arc53 DocsGPT up to 0.18.0. The affected element is the function encrypt_credentials of the file application/security/encryption.py of the component Credential Storage. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

AnalysisAI

Credential storage in DocsGPT up to 0.18.0 uses AES-CBC - an unauthenticated cipher mode - allowing a low-privilege authenticated attacker to tamper with encrypted credential blobs without detection, as the application performs no integrity or authenticity verification before decrypting. The root cause (CWE-345) is the absence of authenticated encryption: CBC provides confidentiality only, with no MAC or HMAC binding, and the legacy implementation also lacked any user_id binding, enabling potential cross-user credential replay. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to DocsGPT with low-privilege credentials
Delivery
Access or intercept stored AES-CBC encrypted credential blob
Exploit
Apply CBC bit-flip manipulation or cross-user replay (no MAC to verify)
Execution
Submit tampered blob to application decryption endpoint
Persist
Application decrypts and accepts manipulated credentials as authentic
Impact
Attacker-controlled credential values stored or used by application

Vulnerability AssessmentAI

Exploitation The attacker must be authenticated to the DocsGPT application with at least low-privilege credentials (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.3 (Low) accurately reflects the limited real-world impact: AC:H (high attack complexity) and PR:L (authenticated access required) substantially constrain the attacker pool, and the impact is restricted to low integrity violation (VI:L) with no confidentiality or availability impact (VC:N, VA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privilege authenticated user retrieves or intercepts an AES-CBC encrypted credential blob stored by DocsGPT, then applies a CBC bit-flipping attack or replays the blob under a different user_id context - neither manipulation is detectable by the legacy decryption routine, which accepts any blob that decrypts to valid-looking padded JSON. The application processes the tampered credentials as authentic, potentially allowing the attacker to substitute controlled values for stored API keys or tokens. …
Remediation The upstream fix is available in GitHub PR #2331 (https://github.com/arc53/DocsGPT/pull/2331), which replaces AES-CBC with AES-GCM authenticated encryption and adds user_id-bound AAD to prevent cross-user replay. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39983 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy