Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable but requires authenticated low-privilege access and high complexity; impact is limited to low integrity with no confidentiality or availability effect.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A flaw has been found in arc53 DocsGPT up to 0.18.0. The affected element is the function encrypt_credentials of the file application/security/encryption.py of the component Credential Storage. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
AnalysisAI
Credential storage in DocsGPT up to 0.18.0 uses AES-CBC - an unauthenticated cipher mode - allowing a low-privilege authenticated attacker to tamper with encrypted credential blobs without detection, as the application performs no integrity or authenticity verification before decrypting. The root cause (CWE-345) is the absence of authenticated encryption: CBC provides confidentiality only, with no MAC or HMAC binding, and the legacy implementation also lacked any user_id binding, enabling potential cross-user credential replay. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be authenticated to the DocsGPT application with at least low-privilege credentials (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 2.3 (Low) accurately reflects the limited real-world impact: AC:H (high attack complexity) and PR:L (authenticated access required) substantially constrain the attacker pool, and the impact is restricted to low integrity violation (VI:L) with no confidentiality or availability impact (VC:N, VA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privilege authenticated user retrieves or intercepts an AES-CBC encrypted credential blob stored by DocsGPT, then applies a CBC bit-flipping attack or replays the blob under a different user_id context - neither manipulation is detectable by the legacy decryption routine, which accepts any blob that decrypts to valid-looking padded JSON. The application processes the tampered credentials as authentic, potentially allowing the attacker to substitute controlled values for stored API keys or tokens. … |
| Remediation | The upstream fix is available in GitHub PR #2331 (https://github.com/arc53/DocsGPT/pull/2331), which replaces AES-CBC with AES-GCM authenticated encryption and adds user_id-bound AAD to prevent cross-user replay. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39983
GHSA-v4h4-747p-qjgx