Description
An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An information disclosure flaw exists in the /api/v1/user/info API endpoint of AgentChat v2.3.0. Unauthenticated callers can enumerate user IDs and retrieve sensitive data, including SHA‑256 password hashes. The vulnerability allows a remote actor to obtain confidential user credentials without authentication, posing a risk to user account security and potentially enabling credential reuse attacks.

Affected Systems

The affected product is AgentChat, version 2.3.0. No vendor or sub‑product information is listed beyond the product name; any deployment using this version is at risk.

Risk and Exploitability

The EPSS score is 0.00023 (just below 1%) and the vulnerability is not listed in CISA KEV, indicating no known exploitation activity to date. However, the attack vector is inferred to be unauthenticated HTTP requests to a public API endpoint, which means any host exposing the API is fully exposed. The CVSS score is 7.5, indicating high severity, and raw password hashes directly impact confidentiality. Given that the flaw does not require privileged access, the likelihood for adversaries remains high if the API is reachable over the network.

Generated by OpenCVE AI on June 10, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Block unauthenticated access to /api/v1/user/info at the network or application level
  • Require proper authentication and authorization before the endpoint returns any user data
  • Apply an upcoming product patch or upgrade to a version where the API access control is fixed
  • If a patch is not immediately available, temporarily disable the endpoint or quarantine the affected system until remediation occurs

Generated by OpenCVE AI on June 10, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Title Information Disclosure via Unauthenticated Access to /api/v1/user/info in AgentChat v2.3.0
Weaknesses CWE-312

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Agentchat
Agentchat agentchat
Vendors & Products Agentchat
Agentchat agentchat

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Information Disclosure via Unauthenticated Access to /api/v1/user/info in AgentChat v2.3.0
Weaknesses CWE-200
CWE-312

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs.
References

Subscriptions

Agentchat Agentchat
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-10T13:53:11.731Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36719

cve-icon Vulnrichment

Updated: 2026-06-10T13:52:58.771Z

cve-icon NVD

Status : Received

Published: 2026-06-09T19:17:42.257

Modified: 2026-06-10T15:16:33.613

Link: CVE-2026-36719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T16:15:17Z

Weaknesses