← Back
2026-02-06 20:30CVE-2026-25729GitHub_M
PUBLISHED5.2CWE-863

DeepAudit Affected by User Enumeration via Broken Access Control

DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresses, phone numbers, full names, and role information.

Problem type

Affected products

lintsinghua

DeepAudit

<= 3.0.4 - AFFECTED

References

https://github.com/lintsinghua/DeepAudit/security/advisories/GHSA-vmmm-48w2-q56q

https://github.com/lintsinghua/DeepAudit/security/advisories/GHSA-vmmm-48w2-q56q

x_refsource_CONFIRM
https://github.com/lintsinghua/DeepAudit/commit/b2a3b26579d3fdbab5236ae12ed67ae2313175fd

https://github.com/lintsinghua/DeepAudit/commit/b2a3b26579d3fdbab5236ae12ed67ae2313175fd

x_refsource_MISC

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-25729
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-25729",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-02-06T20:50:17.216Z",
    "dateReserved": "2026-02-05T16:48:00.427Z",
    "datePublished": "2026-02-06T20:30:17.112Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-02-06T20:30:17.112Z"
      },
      "title": "DeepAudit Affected by User Enumeration via Broken Access Control",
      "descriptions": [
        {
          "lang": "en",
          "value": "DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresses, phone numbers, full names, and role information."
        }
      ],
      "affected": [
        {
          "vendor": "lintsinghua",
          "product": "DeepAudit",
          "versions": [
            {
              "version": "<= 3.0.4",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-863: Incorrect Authorization",
              "cweId": "CWE-863",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/lintsinghua/DeepAudit/security/advisories/GHSA-vmmm-48w2-q56q",
          "name": "https://github.com/lintsinghua/DeepAudit/security/advisories/GHSA-vmmm-48w2-q56q",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/lintsinghua/DeepAudit/commit/b2a3b26579d3fdbab5236ae12ed67ae2313175fd",
          "name": "https://github.com/lintsinghua/DeepAudit/commit/b2a3b26579d3fdbab5236ae12ed67ae2313175fd",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-02-06T20:50:17.216Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}