CVE-2026-5585
Received Received - Intake
Information Disclosure in Tencent AI-Infra-Guard Task Detail Endpoint

Publication date: 2026-04-05

Last updated on: 2026-04-30

Assigner: VulDB

Description
A vulnerability was found in Tencent AI-Infra-Guard 4.0. The affected element is an unknown function of the file common/websocket/task_manager.go of the component Task Detail Endpoint. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5585
EUVD
EUVD-2026-19115
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tencent ai-infra-guard 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5585 is a vulnerability in Tencent AI-Infra-Guard 4.0 that causes sensitive information disclosure through the Task Detail API endpoint. Specifically, when users submit tasks with sensitive API tokens, these tokens are stored in plaintext and shared by default. The API endpoint that retrieves task details does not mask these tokens, exposing them in the response.

Additionally, the authentication mechanism is critically flawed, relying only on an arbitrary username HTTP header without proper verification. This allows any unauthenticated attacker to impersonate users and access sensitive API tokens belonging to others.

Impact Analysis

This vulnerability allows unauthenticated attackers to obtain high-value API credentials for AI models belonging to other users or the platform. Such exposure can lead to severe financial loss due to unauthorized usage of API quotas and potential cross-platform compromise if tokens are reused elsewhere.

  • Unauthorized access to sensitive API tokens.
  • Potential financial loss from token theft and misuse.
  • Risk of broader compromise if tokens are reused across platforms.
Detection Guidance

This vulnerability can be detected by attempting to access the Task Detail API endpoint to see if sensitive API tokens are exposed without authentication.

A practical detection method involves using curl commands to simulate both a victim user submitting a task with a sensitive API token and an unauthenticated attacker retrieving the task details.

  • Submit a task with a sensitive API token using a POST request: curl -X POST http://<target>:8088/api/v1/app/taskapi/tasks -d '{"params": {"api_token": "sensitive_token_here"}}' -H 'Content-Type: application/json'
  • Extract the session_id from the response.
  • Retrieve the task details without authentication using a GET request: curl http://<target>:8088/api/v1/app/tasks/{session_id}

If the response includes the plaintext API token, the vulnerability is present.

Mitigation Strategies

Currently, no patches are available for this vulnerability.

Immediate mitigation steps include restricting access to the AI-Infra-Guard service, especially the Task Detail API endpoint, to trusted and authenticated users only.

Implement network-level controls such as firewall rules or VPN access to limit exposure.

Avoid sharing sensitive API tokens via the Task Detail endpoint until a fix is released.

Monitor logs for unauthorized access attempts to the Task Detail API.

Consider rotating any exposed API tokens immediately to prevent misuse.

Compliance Impact

This vulnerability results in the exposure of sensitive API tokens to unauthenticated attackers due to lack of token masking and weak authentication controls.

Such unauthorized disclosure of sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls to protect sensitive data and prevent unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5585. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart