Skip to main content

Simplechat

2 CVEs product

Monthly

CVE-2026-57206 HIGH PATCH This Week

Missing authentication in Microsoft SimpleChat (prior to 0.241.206) lets remote, unauthenticated clients invoke administrative plugin validation, health-check, and repair endpoints that were documented as protected but never enforced authentication at runtime. Any network-reachable attacker can trigger plugin instantiation, health probing, and repair actions without login or admin rights. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Simplechat
NVD GitHub
CVSS 3.1
8.6
CVE-2026-57205 MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in Microsoft SimpleChat exposes any authenticated user's profile data to other authenticated users without authorization checks. The GET /api/user/info/<user_id> and GET /api/user/profile-image/<user_id> endpoints in route_backend_users.py accept a caller-supplied user_id and query the Cosmos DB user-settings document directly, bypassing object-level authorization - enabling enumeration of email addresses, display names, and profile images across the entire user base. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; the vendor-released fix is version 0.241.203.

Information Disclosure Simplechat
NVD GitHub
CVSS 3.1
4.3
CVSS 8.6
HIGH PATCH This Week

Missing authentication in Microsoft SimpleChat (prior to 0.241.206) lets remote, unauthenticated clients invoke administrative plugin validation, health-check, and repair endpoints that were documented as protected but never enforced authentication at runtime. Any network-reachable attacker can trigger plugin instantiation, health probing, and repair actions without login or admin rights. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Simplechat
NVD GitHub
CVSS 4.3
MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in Microsoft SimpleChat exposes any authenticated user's profile data to other authenticated users without authorization checks. The GET /api/user/info/<user_id> and GET /api/user/profile-image/<user_id> endpoints in route_backend_users.py accept a caller-supplied user_id and query the Cosmos DB user-settings document directly, bypassing object-level authorization - enabling enumeration of email addresses, display names, and profile images across the entire user base. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; the vendor-released fix is version 0.241.203.

Information Disclosure Simplechat
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy