PT-2026-60488 · Microsoft · Simplechat
CVE-2026-57206
·
Published
2026-07-16
·
Updated
2026-07-16
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L |
SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.206, several plugin validation routes in application/single app/plugin validation endpoint.py, including
POST /api/admin/plugins/test-instantiation, GET /api/admin/plugins/health-check/<plugin name>, POST /api/admin/plugins/repair/<plugin name>, and POST /api/plugins/validate, relied on @swagger route(security=get auth security()) documentation without enforcing @login required, @user required, or @admin required at runtime, allowing unauthenticated or unauthorized clients to invoke plugin validation, health, and repair behavior. This issue is fixed in version 0.241.206.Fix
Missing Authentication
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Simplechat