CVE-2026-57476
Severity CVSS v4.0:
MEDIUM
Type:
CWE-306
Missing Authentication for Critical Function
Publication date:
10/07/2026
Last modified:
10/07/2026
Description
Deloitte AI Assist for Customer exposed unauthenticated API endpoints that allowed an attacker with knowledge of additional parameters to read from or inject content into the retrieval-augmented generation (RAG) corpus. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.
Impact
Base Score 4.0
6.30
Severity 4.0
MEDIUM
Base Score 3.x
4.80
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-191-01.json
- https://www.cve.org/CVERecord?id=CVE-2026-57474
- https://zerotolerance.me/advisories/assets/VU487875-deloitte-ascend-advisory.pdf
- https://zerotolerance.me/advisories/deloitte-aiassist-ascend-2026-vu487875/



