HIGH 7.5

CVE-2026-36719: AgentChat v2.3.0 Unauthenticated Information Disclosure – Password Hash Leak

AgentChat version 2.3.0 contains a flaw in its user information API endpoint that allows anyone on the internet to retrieve sensitive user data without logging in. By systematically querying user ID numbers, an attacker can obtain password hashes and other personal information. The vulnerability requires no special privileges or user interaction—a determined attacker could automate the process to harvest data from many users.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36719 is an unauthenticated information disclosure vulnerability affecting the /api/v1/user/info endpoint in AgentChat v2.3.0. The endpoint fails to enforce proper access controls, allowing attackers to enumerate user IDs and retrieve associated sensitive data including SHA256 password hashes without authentication. This is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The attack surface is network-accessible, requires no user interaction, and has low complexity—an attacker needs only to craft successive API requests with incrementing or guessed user IDs.

Business impact

Unauthorized disclosure of password hashes and user metadata creates multiple downstream risks. While SHA256 hashes cannot be directly reversed, they are subject to offline dictionary and rainbow-table attacks, especially for weak passwords. Compromised email addresses and account identifiers enable targeted social engineering, credential stuffing, and account takeover attempts. Organizations running AgentChat v2.3.0 face potential data breach notification obligations and reputational damage if user information is exfiltrated at scale. The lack of authentication bypass also indicates missing security controls that may affect other endpoints.

Affected systems

AgentChat v2.3.0 is confirmed vulnerable. Organizations must inventory all instances of this version in production and development environments. The advisory does not specify whether earlier versions (1.x) or later versions (2.4.0+) are affected; verification against the vendor advisory is required to determine the full scope of vulnerable releases.

Exploitability

This vulnerability poses a practical, near-term exploitation risk. The attack requires no authentication, no special tools beyond basic HTTP clients, and can be fully automated. An attacker with network access to the AgentChat deployment can begin enumerating users immediately. The CVSS 3.1 score of 7.5 (HIGH) reflects the ease of exploitation and high confidentiality impact, though integrity and availability are not compromised. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, but that status may change.

Remediation

Immediately upgrade AgentChat to a patched version beyond 2.3.0. Verify patch availability and version compatibility with your deployment before upgrading. As a temporary mitigation pending patching, restrict network access to the /api/v1/user/info endpoint to authenticated users only or place it behind a Web Application Firewall rule that requires valid authentication tokens. Review and revoke any password hashes that may have been exposed during the window of vulnerability.

Patch guidance

Contact your AgentChat vendor or check their security advisory portal for patched release versions. Upgrade should be tested in a staging environment first to confirm compatibility with dependent applications. Verify that the /api/v1/user/info endpoint enforces authentication checks in the patched version before deploying to production. Document the upgrade date and any interim access restrictions applied.

Detection guidance

Monitor access logs for the /api/v1/user/info endpoint, particularly unauthenticated requests or high volumes of requests with varying user ID parameters. Implement alerting for any unauthenticated hits to this endpoint. Review Web Access Logs from the publication date (2026-06-09) backward to identify potential reconnaissance activity. Look for sequential or range-based user ID queries that suggest enumeration attempts. If logs are available, prioritize analysis of any exfiltrated data and cross-reference against your user base to determine exposure scope.

Why prioritize this

This vulnerability merits immediate action due to the combination of high exploitability (no authentication required, network-accessible) and direct confidentiality impact (password hashes and user PII exposure). The lack of current KEV listing does not diminish urgency—exploitation can occur silently and at scale. Organizations must treat patching or mitigation as a priority-one security task.

Risk score, explained

CVSS v3.1 score of 7.5 reflects: (1) network-accessible attack vector with no authentication required; (2) low attack complexity; (3) high confidentiality impact (exposure of sensitive user data); (4) no integrity or availability impact. The score aligns with a HIGH severity rating appropriate for a data disclosure flaw in a user-facing API endpoint. Organizations with strict confidentiality requirements or sensitive user bases should treat this as critical.

Frequently asked questions

Can attackers use stolen password hashes to log into AgentChat accounts directly?

SHA256 hashes cannot be reversed to reveal plaintext passwords. However, attackers can perform offline dictionary attacks or use precomputed rainbow tables to crack weak passwords, potentially recovering credentials. Strong passwords are more resistant to this attack. Organizations should monitor for unauthorized login attempts and consider forcing password resets for affected users.

Do we need to patch if AgentChat is only accessible on a private network?

While network isolation reduces the immediate risk surface, it does not eliminate the vulnerability itself. Insiders, compromised network segments, or lateral movement from other breaches could still expose the endpoint. Patching is still strongly recommended as a defense-in-depth measure.

How do we know if our instance has been exploited?

Review API access logs for unauthenticated requests to /api/v1/user/info with varying user ID parameters. Look for spikes in request volume or sequential ID enumeration patterns. If no logging is enabled, enable it immediately and implement network monitoring. A forensic analysis may be needed to determine the extent of any breach.

Will upgrading AgentChat cause downtime?

Downtime depends on your deployment architecture and upgrade process. Test the patch in a non-production environment first. Many application upgrades support rolling or zero-downtime deployments. Coordinate with your vendor or internal DevOps team to plan a minimal-disruption upgrade window.

This analysis is based on the published CVE record and available security advisories as of the modification date (2026-06-17). Verify all patch version numbers, affected product ranges, and compatibility requirements against the official AgentChat vendor security bulletin before deploying updates. This explainer is provided for informational purposes to assist security decision-making and does not constitute legal advice or a guarantee of security. Organizations should conduct their own risk assessment and testing in their specific environments. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).