Description
A flaw has been found in arc53 DocsGPT up to 0.18.0. The affected element is the function encrypt_credentials of the file application/security/encryption.py of the component Credential Storage. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
Published: 2026-06-28
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in the encrypt_credentials function removes sufficient verification of data authenticity, which could allow a malicious actor to supply altered ciphertext that is accepted as valid. Based on the description, it is inferred that the compromised integrity check would enable credential tampering or injection, thereby undermining authentication for the affected system.

Affected Systems

All installations of arc53 DocsGPT up to and including version 0.18.0 that use the default Credential Storage implementation are affected. The vulnerability applies whenever the application loads encrypted credentials via the vulnerable function.

Risk and Exploitability

The CVSS score of 2.3 and the stated high attack complexity indicate a low overall rating, yet an exploit is available and the attack can be initiated remotely. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, but the published exploit suggests that a remote attacker could deliver manipulated ciphertext through an API or administrative interface, potentially compromising stored credentials if the integrity check is bypassed. Because the exploit is documented and feasible, timely remediation is advised.

Generated by OpenCVE AI on June 28, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade arc53 DocsGPT to a version where the pending pull request that restores integrity verification has been merged
  • If an upgrade is not yet possible, disable or replace the built‑in Credential Storage component with a secure alternative that includes HMAC or signed tokens for authenticity
  • Restrict administrative and API access to the credential storage module and audit logs for any unexpected changes

Generated by OpenCVE AI on June 28, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 28 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in arc53 DocsGPT up to 0.18.0. The affected element is the function encrypt_credentials of the file application/security/encryption.py of the component Credential Storage. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
Title arc53 DocsGPT Credential Storage encryption.py encrypt_credentials data authenticity
First Time appeared Arc53
Arc53 docsgpt
Weaknesses CWE-345
CPEs cpe:2.3:a:arc53:docsgpt:*:*:*:*:*:*:*:*
Vendors & Products Arc53
Arc53 docsgpt
References
Metrics cvssV2_0

{'score': 2.1, 'vector': 'AV:N/AC:H/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T13:01:38.042Z

Reserved: 2026-06-27T15:02:53.995Z

Link: CVE-2026-13483

cve-icon Vulnrichment

Updated: 2026-06-29T13:01:34.446Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T12:15:16Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity