Impact
The flaw in the encrypt_credentials function removes sufficient verification of data authenticity, which could allow a malicious actor to supply altered ciphertext that is accepted as valid. Based on the description, it is inferred that the compromised integrity check would enable credential tampering or injection, thereby undermining authentication for the affected system.
Affected Systems
All installations of arc53 DocsGPT up to and including version 0.18.0 that use the default Credential Storage implementation are affected. The vulnerability applies whenever the application loads encrypted credentials via the vulnerable function.
Risk and Exploitability
The CVSS score of 2.3 and the stated high attack complexity indicate a low overall rating, yet an exploit is available and the attack can be initiated remotely. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, but the published exploit suggests that a remote attacker could deliver manipulated ciphertext through an API or administrative interface, potentially compromising stored credentials if the integrity check is bypassed. Because the exploit is documented and feasible, timely remediation is advised.
OpenCVE Enrichment