Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable and low-complexity but requires an authenticated low-privilege session (PR:L); abusing shell/filesystem MCP servers yields full host C/I/A impact within the same authorization scope (S:U).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowed_mcp_tools function returning None instead of a denied result when mcp_tools is omitted from a user's grant in deeptutor/multi_user/tool_access.py. Attackers or prompt-injected content acting within a user session can enumerate and invoke any configured MCP tool, including filesystem, shell, and browser servers, gaining unauthorized access to sensitive deployment resources.
AnalysisAI
Privilege escalation via missing authorization in HKUDS DeepTutor before 1.4.10 lets any authenticated low-privilege user invoke deployment-wide MCP (Model Context Protocol) tools they were never granted. The root cause is the allowed_mcp_tools function in deeptutor/multi_user/tool_access.py returning None (interpreted as 'allow all') instead of a denied result when the mcp_tools key is omitted from a user's grant, so a regular user - or prompt-injected content running inside their session - can enumerate and call filesystem, shell, and browser MCP servers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated low-privilege (non-admin) user session in a DeepTutor multi-user deployment (PR:L) AND that the targeted user's grant omits the mcp_tools field - which is the default/insecure state, so the condition is commonly satisfied. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderate and broadly consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privilege user (or attacker who has obtained any non-admin account) logs into a multi-user DeepTutor instance whose grant omits mcp_tools, then enumerates and invokes the shell or filesystem MCP server to read secrets or run commands on the host. Equally plausible without a malicious human: attacker-controlled content (a document or page) processed in a victim's session triggers prompt injection that calls those same tools. … |
| Remediation | Vendor-released patch: upgrade to DeepTutor v1.4.10 or later (release: https://github.com/HKUDS/DeepTutor/releases/tag/v1.4.10; fix commit 90046374b3dcd4f8a866d2d64a64440bc08eb2ef via PR https://github.com/HKUDS/DeepTutor/pull/579), which makes MCP tools deny-by-default for non-admin users; the upgrade is described as drop-in with no migration required. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all HKUDS DeepTutor instances for version status and identify multi-user deployments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40375
GHSA-jg88-rvpc-qvxj