CVE-2026-57474
Undergoing Analysis Undergoing Analysis - In Progress

Deloitte AI Assist for Customer API Information Exposure

Vulnerability report for CVE-2026-57474, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description

Deloitte AI Assist for Customer disclosed some configuration information through public-facing API endpoints that accepted unauthenticated requests. This information could reduce an attacker’s reconnaissance effort. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
deloitte ai_assist ascend

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves Deloitte AI Assist for Customer exposing some configuration information through public-facing API endpoints that did not require authentication. This exposure allowed attackers to gather information more easily during reconnaissance phases of an attack.

The issue was addressed on 2026-03-25 by restricting network access and enforcing authentication on these previously exposed endpoints.

Impact Analysis

The vulnerability could reduce the effort required by an attacker to perform reconnaissance on the system by providing access to configuration information without authentication.

This could potentially facilitate further attacks by giving attackers insights into the system setup, increasing the risk of exploitation.

Detection Guidance

This vulnerability involves unauthenticated access to public-facing API endpoints that disclose configuration information. Detection can be performed by scanning your network or system for these exposed endpoints and attempting unauthenticated HTTP requests to them.

You can use tools like curl or wget to test access to the suspected API endpoints. For example, a command like the following can be used to check if the endpoint is accessible without authentication:

  • curl -v http://<target-host>/api/endpoint

Additionally, network scanning tools such as Nmap with HTTP scripts can help identify exposed API endpoints:

  • nmap -p 80,443 --script http-enum <target-host>

Monitoring logs for unauthenticated requests to API endpoints and unusual access patterns can also help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting network access to the affected API endpoints and enforcing authentication to prevent unauthenticated access.

According to the CVE description, Deloitte AI Assist for Customer has already implemented these measures as of 2026-03-25.

  • Restrict access to the API endpoints by implementing network-level controls such as firewalls or access control lists.
  • Enforce strong authentication mechanisms on all public-facing API endpoints.
  • Review and update configurations to ensure no sensitive information is exposed through unauthenticated requests.
  • Monitor logs for unauthorized access attempts and respond accordingly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57474. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart