CVE-2026-3693
Improper Resource Identifier Control in AgentChat User Endpoint
Publication date: 2026-03-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shy2593666979 | agentchat | to 2.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-99 | The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3693 is an Insecure Direct Object Reference (IDOR) vulnerability found in Shy2593666979 AgentChat versions up to 2.3.0. It affects the User Endpoint component, specifically the functions get_user_info and update_user_info in the file /src/backend/agentchat/api/v1/user.py.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the user_id parameter is accepted directly from user input without proper authorization checks. This allows unauthenticated attackers to manipulate the user_id parameter to either access or modify arbitrary users' information, such as profile details including avatars and descriptions, without permission."}, {'type': 'paragraph', 'content': 'The attack can be initiated remotely and is straightforward to execute. Proof-of-concept exploits have been published demonstrating unauthorized access and modification of user data by manipulating the user_id parameter.'}, {'type': 'paragraph', 'content': 'Mitigation involves implementing proper authorization checks to ensure users can only access or update their own information, retrieving the user ID from authenticated sessions or tokens rather than user input, applying role-based access control (RBAC), and logging all attempts to access or modify user information for auditing.'}] [1, 2, 3, 4, 5]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthenticated attackers to access or modify sensitive user information without authorization.
- Unauthorized disclosure of sensitive user data, compromising confidentiality.
- Unauthorized modification of user profiles, affecting data integrity.
- Potential disruption of service or trust in the system, impacting availability.
Because the exploit is publicly available and easy to execute remotely without authentication, the risk of exploitation is high, potentially leading to data breaches, loss of user trust, and reputational damage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves manipulation of the user_id parameter in the /api/v1/user/info and /api/v1/user/update endpoints without proper authorization checks. Detection can focus on monitoring requests to these endpoints for suspicious or unauthorized user_id values.'}, {'type': 'paragraph', 'content': 'Suggested detection methods include:'}, {'type': 'list_item', 'content': 'Monitoring HTTP requests to /api/v1/user/info and /api/v1/user/update endpoints for unusual or unauthorized user_id parameters.'}, {'type': 'list_item', 'content': "Checking logs for attempts to access or modify user information where the user_id does not match the authenticated user's ID."}, {'type': 'list_item', 'content': 'Using web application firewall (WAF) rules to detect and block requests with manipulated user_id parameters.'}, {'type': 'paragraph', 'content': 'Example commands to detect suspicious activity might include:'}, {'type': 'list_item', 'content': "Using grep on web server logs to find requests with user_id parameters: grep -i 'user_id=' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': 'Using curl or similar tools to test if unauthorized user_id manipulation is possible: curl -X PUT -d \'{"user_id":"<other_user_id>","user_avatar":"avatar","user_description":"desc"}\' https://yourserver/api/v1/user/update'}, {'type': 'list_item', 'content': 'Implementing audit logging to track all user information access and modification attempts.'}] [1, 2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2026-3693 focus on preventing unauthorized manipulation of the user_id parameter in the affected endpoints.
- Implement proper authorization checks to ensure users can only access or update their own information.
- Retrieve the user ID from the authenticated session or token instead of accepting it as a user-supplied parameter.
- Apply role-based access control (RBAC) to restrict update and access operations to authorized users only.
- Log all attempts to access or modify user information for security auditing and anomaly detection.
Since the vendor has not responded or provided a patch, consider replacing the affected product or disabling the vulnerable endpoints until proper fixes are implemented.