CVE-2026-57475
Severity CVSS v4.0:
MEDIUM
Type:
CWE-306
Missing Authentication for Critical Function
Publication date:
10/07/2026
Last modified:
10/07/2026
Description
Deloitte AI Assist for Customer accepted unauthenticated POST requests through public-facing API endpoints that allowed a remote attacker to make limited additions to the configuration. These additions were not used by the system. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
Base Score 3.x
5.30
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-191-01.json
- https://www.cve.org/CVERecord?id=CVE-2026-57474
- https://zerotolerance.me/advisories/assets/VU487875-deloitte-ascend-advisory.pdf
- https://zerotolerance.me/advisories/deloitte-aiassist-ascend-2026-vu487875/



