CVE-2026-57476
MEDIUM
4.8
CVSS 3.1
Description
Deloitte AI Assist for Customer exposed unauthenticated API endpoints that allowed an attacker with knowledge of additional parameters to read from or inject content into the retrieval-augmented generation (RAG) corpus. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.
Metadata
Severity & Metrics
4.8
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Deloitte | AI Assist for Customer | — | 0 < 2026-03-25, 2026-03-25 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-306 | cna | CWE-306 Missing Authentication for Critical Function |
CVSS scores (2)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 6.3 | MEDIUM | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| 4.8 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
References (4)
- url https://zerotolerance.me/advisories/deloitte-aiassist-ascend-2026-vu487875/
- url https://zerotolerance.me/advisories/assets/VU487875-deloitte-ascend-advisory.pdf
- url https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-191-01.json
- url https://www.cve.org/CVERecord?id=CVE-2026-57474