CVE-2026-25729 LOW

CVE-2026-25729: DeepAudit Affected by User Enumeration via Broken Access Control

Vendor Lintsinghua
Product DeepAudit
Weakness CWE-863 · Incorrect authorization
Published February 6, 2026
Last update February 6, 2026

CVSS base score

2.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresses, phone numbers, full names, and role information.

Key dates

02Disclosure timeline

February 6, 2026 CVE published
February 6, 2026 Record updated