Skip to main content

Ai Assist For Customer

3 CVEs product

Monthly

CVE-2026-57476 MEDIUM PATCH This Month

Unauthenticated API endpoints in Deloitte AI Assist for Customer exposed the platform's retrieval-augmented generation corpus to unauthorized read access and content injection by any network-reachable attacker who could discover the required request parameters. The root cause is missing authentication on critical internal API functions (CWE-306), enabling adversaries to exfiltrate proprietary knowledge base content or poison AI-generated responses with injected documents. The vendor applied a server-side fix on 2026-03-25 by restricting network access and enforcing authentication; no public exploit code or CISA KEV listing has been identified, though an independent security advisory has been published.

Authentication Bypass Ai Assist For Customer
NVD
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-57475 MEDIUM PATCH This Month

Deloitte AI Assist for Customer exposed public-facing REST API endpoints that accepted unauthenticated POST requests, enabling remote attackers to inject limited additions into the application's configuration store without credentials. The root cause is CWE-306 (Missing Authentication for Critical Function), and the CVSS 4.0 vector (PR:N/AV:N/AC:L) confirms zero-friction remote exploitation against default deployments. Critically, the vendor states that the injected configuration additions were not consumed or acted upon by the system, substantially constraining real-world operational impact. The vendor remediated the issue on 2026-03-25 by restricting network access and enforcing authentication; no public exploit has been identified at time of analysis.

Authentication Bypass Ai Assist For Customer
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-57474 MEDIUM PATCH This Month

Configuration information disclosure in Deloitte AI Assist for Customer exposed internal system details through unauthenticated, publicly accessible API endpoints, reducing attacker reconnaissance effort. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L) confirms remote, low-complexity, unauthenticated access, though impact is bounded to low confidentiality exposure with no integrity or availability consequence. Deloitte confirmed the fix on 2026-03-25 by restricting network access and enforcing authentication on the affected endpoints; no public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Ai Assist For Customer
NVD
CVSS 4.0
6.9
EPSS
0.3%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Unauthenticated API endpoints in Deloitte AI Assist for Customer exposed the platform's retrieval-augmented generation corpus to unauthorized read access and content injection by any network-reachable attacker who could discover the required request parameters. The root cause is missing authentication on critical internal API functions (CWE-306), enabling adversaries to exfiltrate proprietary knowledge base content or poison AI-generated responses with injected documents. The vendor applied a server-side fix on 2026-03-25 by restricting network access and enforcing authentication; no public exploit code or CISA KEV listing has been identified, though an independent security advisory has been published.

Authentication Bypass Ai Assist For Customer
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Deloitte AI Assist for Customer exposed public-facing REST API endpoints that accepted unauthenticated POST requests, enabling remote attackers to inject limited additions into the application's configuration store without credentials. The root cause is CWE-306 (Missing Authentication for Critical Function), and the CVSS 4.0 vector (PR:N/AV:N/AC:L) confirms zero-friction remote exploitation against default deployments. Critically, the vendor states that the injected configuration additions were not consumed or acted upon by the system, substantially constraining real-world operational impact. The vendor remediated the issue on 2026-03-25 by restricting network access and enforcing authentication; no public exploit has been identified at time of analysis.

Authentication Bypass Ai Assist For Customer
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Configuration information disclosure in Deloitte AI Assist for Customer exposed internal system details through unauthenticated, publicly accessible API endpoints, reducing attacker reconnaissance effort. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L) confirms remote, low-complexity, unauthenticated access, though impact is bounded to low confidentiality exposure with no integrity or availability consequence. Deloitte confirmed the fix on 2026-03-25 by restricting network access and enforcing authentication on the affected endpoints; no public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Ai Assist For Customer
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy