Back to CVE List

CVE-2026-57206

HIGH SEVERITY

CVSS Score & Metrics

Base Score
8.6 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Vulnerability Description

SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.206, several plugin validation routes in application/single_app/plugin_validation_endpoint.py, including `POST /api/admin/plugins/test-instantiation`, `GET /api/admin/plugins/health-check/<plugin_name>`, `POST /api/admin/plugins/repair/<plugin_name>`, and `POST /api/plugins/validate`, relied on @swagger_route(security=get_auth_security()) documentation without enforcing @login_required, @user_required, or @admin_required at runtime, allowing unauthenticated or unauthorized clients to invoke plugin validation, health, and repair behavior. This issue is fixed in version 0.241.206.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-306
Source
NVD
Vendor
microsoft
Product
simplechat

External References

Discussion (0)

Add Comment

No comments yet. Be the first!