CVE-2026-57476
Undergoing Analysis Undergoing Analysis - In Progress

Unauthenticated API Access in Deloitte AI Assist for Customer

Vulnerability report for CVE-2026-57476, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description

Deloitte AI Assist for Customer exposed unauthenticated API endpoints that allowed an attacker with knowledge of additional parameters to read from or inject content into the retrieval-augmented generation (RAG) corpus. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
deloitte ai_assist_for_customer *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves Deloitte AI Assist for Customer exposing unauthenticated API endpoints. An attacker who knows certain additional parameters could exploit these endpoints to either read from or inject content into the retrieval-augmented generation (RAG) corpus.

The issue was addressed on 2026-03-25 by restricting network access and enforcing authentication on the previously exposed endpoints.

Impact Analysis

This vulnerability could allow an attacker to access or modify sensitive data within the RAG corpus without authentication. This unauthorized access or injection could lead to data breaches, manipulation of information, or disruption of services relying on the integrity of the RAG corpus.

Mitigation Strategies

To mitigate this vulnerability, restrict network access to the affected Deloitte AI Assist for Customer API endpoints and enforce authentication for these endpoints.

These steps were implemented on 2026-03-25 to address the issue of unauthenticated API endpoints allowing unauthorized read or injection into the retrieval-augmented generation (RAG) corpus.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57476. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart