CVE-2026-36719
Received Received - Intake
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: MITRE

Description
An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-36719
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
agentchat agentchat 2.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-36719 is an information disclosure vulnerability in AgentChat version 2.3.0 and earlier. It exists in the /api/v1/user/info endpoint, where the API returns all user database fields without filtering out sensitive information.

Unauthenticated attackers can exploit this by enumerating user IDs to obtain sensitive data, including unsalted SHA256 password hashes.

Because the password hashes are unsalted, attackers can use rainbow tables or online hash cracking services to reverse-engineer the original passwords.

The root causes include improper filtering of sensitive fields in API responses, lack of cryptographically secure salted password hashing, and insufficient authentication and authorization checks.

Impact Analysis

This vulnerability can severely compromise user account security by exposing unsalted SHA256 password hashes to unauthenticated attackers.

Attackers can obtain these hashes by enumerating user IDs and then crack the hashes to recover user passwords.

Once passwords are compromised, attackers may gain unauthorized access to user accounts, potentially leading to data breaches, identity theft, or further exploitation within the system.

Detection Guidance

This vulnerability can be detected by testing the /api/v1/user/info endpoint of AgentChat version 2.3.0 or earlier to see if it returns sensitive information without authentication.

Specifically, you can attempt to enumerate user IDs by sending requests to the endpoint and checking if the response includes unsalted SHA256 password hashes and other sensitive user data.

A sample command using curl to test this might be:

  • curl -X GET "http://<agentchat-server>/api/v1/user/info?id=<user_id>"

If the response contains password hashes or other sensitive fields without requiring authentication, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include:

  • Implement proper field filtering in the /api/v1/user/info endpoint to exclude sensitive information such as password hashes.
  • Enforce strict authentication and authorization checks to ensure only authorized users can access user information.
  • Replace unsalted SHA256 password hashing with a secure salted hashing algorithm like bcrypt.
Compliance Impact

The vulnerability allows unauthenticated attackers to obtain sensitive user information, including unsalted SHA256 password hashes, by enumerating user IDs through the /api/v1/user/info endpoint.

This exposure of sensitive data can lead to compromised user accounts and violates principles of data protection and confidentiality required by common standards and regulations such as GDPR and HIPAA.

Specifically, the lack of proper authentication, authorization, and secure password hashing mechanisms means that personal data is not adequately protected, which may result in non-compliance with these regulations' requirements for safeguarding personal and sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36719. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart