Description
DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresses, phone numbers, full names, and role information.
Published: 2026-02-06
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure through User Enumeration
Action: Apply Patch
AI Analysis

Impact

DeepAudit, a multi‑agent system designed to discover code vulnerabilities, contains an improper access control flaw on the /api/v1/users/ endpoint. Any authenticated user can query this endpoint and receive a list of all users, including private data such as email addresses, phone numbers, full names, and role information. This flaw leads to sensitive personal and role data being exposed to anyone who has already authenticated to the system, potentially allowing attackers to facilitate further credential‑based attacks or social engineering. The weakness is identified as CWE‑863, improper authorization.

Affected Systems

The vulnerability affects lintsinghua DeepAudit, specifically all releases up to and including version 3.0.4. Users running these or earlier versions of the software are at risk and should verify their deployment version.

Risk and Exploitability

The calculated CVSS score is 2.1, indicating a low severity. The EPSS score is below 1%, signaling a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Inferred from the description, the likely attack vector requires an attacker to possess valid credentials to the DeepAudit instance. Once authenticated, the attacker can enumerate all users and collect sensitive data without needing any additional privileges.

Generated by OpenCVE AI on April 18, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy an updated version of DeepAudit that corrects the access control flaw.
  • Restrict the /api/v1/users/ endpoint to users with administrative privileges only.
  • Monitor for abnormal enumeration activity and enforce least privilege on all authenticated users.

Generated by OpenCVE AI on April 18, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 00:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lintsinghua:deepaudit:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Lintsinghua
Lintsinghua deepaudit
Vendors & Products Lintsinghua
Lintsinghua deepaudit

Fri, 06 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresses, phone numbers, full names, and role information.
Title DeepAudit Affected by User Enumeration via Broken Access Control
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Lintsinghua Deepaudit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T20:50:17.216Z

Reserved: 2026-02-05T16:48:00.427Z

Link: CVE-2026-25729

cve-icon Vulnrichment

Updated: 2026-02-06T20:49:02.118Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T21:16:19.313

Modified: 2026-02-28T00:31:36.967

Link: CVE-2026-25729

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses