PT-2026-60488 · Microsoft · Simplechat

CVE-2026-57206

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v3.1

8.6

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.206, several plugin validation routes in application/single app/plugin validation endpoint.py, including POST /api/admin/plugins/test-instantiation, GET /api/admin/plugins/health-check/<plugin name>, POST /api/admin/plugins/repair/<plugin name>, and POST /api/plugins/validate, relied on @swagger route(security=get auth security()) documentation without enforcing @login required, @user required, or @admin required at runtime, allowing unauthenticated or unauthorized clients to invoke plugin validation, health, and repair behavior. This issue is fixed in version 0.241.206.

Fix

Missing Authentication

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-57206

Affected Products

Simplechat