Skip to main content

Microsoft SimpleChat EUVDEUVD-2026-44941

| CVE-2026-57205 MEDIUM
Information Exposure (CWE-200)
2026-07-16 GitHub_M
4.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible REST API requires only a valid user session (PR:L); no complexity or interaction needed; impact is read-only exposure of profile metadata, no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 17:03 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 15:55 vuln.today
Analysis Generated
Jul 16, 2026 - 15:55 vuln.today
CVE Published
Jul 16, 2026 - 15:12 cve.org
MEDIUM 4.3

DescriptionCVE.org

SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.203, the authenticated GET /api/user/info/<user_id> and GET /api/user/profile-image/<user_id> endpoints in application/single_app/route_backend_users.py accepted a caller-supplied user_id and read the matching Cosmos DB user-settings document without object-level authorization, allowing a low-privilege authenticated user to retrieve another user's email address, display name, and profile image. This issue is fixed in version 0.241.203.

AnalysisAI

Insecure Direct Object Reference (IDOR) in Microsoft SimpleChat exposes any authenticated user's profile data to other authenticated users without authorization checks. The GET /api/user/info/<user_id> and GET /api/user/profile-image/<user_id> endpoints in route_backend_users.py accept a caller-supplied user_id and query the Cosmos DB user-settings document directly, bypassing object-level authorization - enabling enumeration of email addresses, display names, and profile images across the entire user base. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege SimpleChat account
Delivery
Authenticate and capture session token
Exploit
Enumerate user IDs via sequential API calls
Execution
Call GET /api/user/info/<user_id> for each ID
Impact
Exfiltrate email addresses and display names of all users

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session in the SimpleChat application - any user account, regardless of privilege level, is sufficient (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) accurately captures the bounded impact: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N indicates network-reachable exploitation with no attack complexity, requiring only a low-privilege account, with limited confidentiality impact and no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any valid SimpleChat account issues sequential GET requests to /api/user/info/1, /api/user/info/2, etc., iterating over numeric or UUID user identifiers to harvest the full user directory - collecting email addresses and display names for every registered user. No special tooling is required beyond a browser developer console or a simple script using the attacker's session cookie. …
Remediation Upgrade to Microsoft SimpleChat version 0.241.203 or later, which introduces object-level authorization checks on the affected user info and profile-image endpoints. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44941 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy