CVE-2026-12203
Received Received - Intake
Information Disclosure in HKUDS AI-Trader Research Export

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulDB

Description
A vulnerability was found in HKUDS AI-Trader up to 74caf996f78dcc0c657df8365c8544678a16e215. This affects an unknown part of the file /api/research/agents.csv of the component Research Export. Performing a manipulation results in information disclosure. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The patch is named 91a31aac1b0f4dbc6b8bef9f6eff0b7912e0bc65. Applying a patch is the recommended action to fix this issue. The vendor confirms: "Research export endpoints now require an authenticated agent with the research_exports capability".
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-12203
EUVD
EUVD-2026-36678
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hkuds ai_trader to 74caf996f78dcc0c657df8365c8544678a16e215 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the HKUDS AI-Trader platform allows unauthenticated users to access sensitive data through the research export feature. Specifically, it affects the /api/research/agents.csv endpoint, enabling attackers to download the entire database of registered agents, including internal Agent IDs and precise financial balances. Although some data fields are partially anonymized, the lack of authentication permits bulk data scraping and unauthorized competitive intelligence gathering.

Impact Analysis

The vulnerability can lead to significant information disclosure, exposing sensitive agent data such as internal IDs and financial balances to unauthorized parties. This exposure can result in privacy breaches, loss of competitive advantage, and potential misuse of confidential financial information. Since the exploit is publicly known and remotely exploitable without authentication, it poses a high risk of data theft and unauthorized data scraping.

Detection Guidance

The vulnerability allows unauthenticated users to access the /api/research/agents.csv endpoint and download sensitive data such as the database of registered agents, including internal Agent IDs and financial balances.

To detect this vulnerability on your network or system, you can monitor for unauthorized or unauthenticated HTTP requests to the /api/research/agents.csv endpoint.

Suggested commands include using network monitoring or HTTP request inspection tools to check for access attempts to this endpoint without proper authentication.

  • Using curl to test access without authentication: curl -v http://<target-host>/api/research/agents.csv
  • Using tcpdump or Wireshark to filter HTTP GET requests to /api/research/agents.csv: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/api/research/agents.csv'
  • Using web server logs to identify unauthenticated access attempts to the research export endpoint.
Mitigation Strategies

The recommended immediate mitigation is to apply the patch identified by commit 91a31aac1b0f4dbc6b8bef9f6eff0b7912e0bc65, which enforces authentication and permission checks on the research export endpoints.

This patch requires that only authenticated agents with the research_exports capability can access the research export feature, preventing unauthenticated data exposure.

Until the patch can be applied, restrict access to the /api/research/agents.csv endpoint by network controls such as firewall rules or API gateway restrictions to prevent unauthenticated external access.

  • Apply the official patch from commit 91a31aac1b0f4dbc6b8bef9f6eff0b7912e0bc65.
  • Implement authentication and authorization checks on the research export API endpoints.
  • Restrict network access to the vulnerable endpoint until patched.
Compliance Impact

The vulnerability in HKUDS AI-Trader allows unauthenticated users to access sensitive data, including internal Agent IDs and precise financial balances, through the research export feature. This unauthorized data exposure poses a significant risk to data confidentiality.

Such exposure of sensitive personal and financial information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over personal data access and confidentiality.

The issue was addressed by implementing authentication and permission checks requiring an authenticated agent with the research_exports capability to access the research export endpoints, thereby improving compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12203. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart