PT-2026-53919 · Hkuds · Deeptutor

Chia Min Jun Lennon

·

Publicado

2026-06-30

·

Atualizado

2026-06-30

·

CVE-2026-58168

CVSS v3.1

8.8

Alta

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowed mcp tools function returning None instead of a denied result when mcp tools is omitted from a user's grant in deeptutor/multi user/tool access.py. Attackers or prompt-injected content acting within a user session can enumerate and invoke any configured MCP tool, including filesystem, shell, and browser servers, gaining unauthorized access to sensitive deployment resources.

Exploit

Correção

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-58168

Produtos afetados

Deeptutor