PT-2026-53919 · Hkuds · Deeptutor

Chia Min Jun Lennon

·

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-58168

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowed mcp tools function returning None instead of a denied result when mcp tools is omitted from a user's grant in deeptutor/multi user/tool access.py. Attackers or prompt-injected content acting within a user session can enumerate and invoke any configured MCP tool, including filesystem, shell, and browser servers, gaining unauthorized access to sensitive deployment resources.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58168

Affected Products

Deeptutor