PT-2026-53919 · Hkuds · Deeptutor
Chia Min Jun Lennon
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-58168
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowed mcp tools function returning None instead of a denied result when mcp tools is omitted from a user's grant in deeptutor/multi user/tool access.py. Attackers or prompt-injected content acting within a user session can enumerate and invoke any configured MCP tool, including filesystem, shell, and browser servers, gaining unauthorized access to sensitive deployment resources.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Deeptutor