CVE-2026-57206
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Summary
SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.206, several plugin validation routes in application/single_app/plugin_validation_endpoint.py, including POST /api/admin/plugins/test-instantiation, GET /api/admin/plugins/health-check/<plugin_name>, POST /api/admin/plugins/repair/<plugin_name>, and POST /api/plugins/validate, relied on @swagger_route(security=get_auth_security()) documentation without enforcing @login_required, @user_required, or @admin_required at runtime, allowing unauthenticated or unauthorized clients to invoke plugin validation, health, and repair behavior. This issue is fixed in version 0.241.206.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| microsoft | simplechat | < 0.241.206 | affected |
Weaknesses
- CWE-306: CWE-306: Missing Authentication for Critical Function
- CWE-862: CWE-862: Missing Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/microsoft/simplechat/security/advisories/GHSA-g6gr-xp46-hrmj
- https://github.com/microsoft/simplechat/blob/main/docs/explanation/fixes/PLUGIN_VALIDATION_ROUTE_AUTH_FIX.md
- https://github.com/microsoft/simplechat/releases/tag/v0.250.001
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.