CVE-2026-63307
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
17/07/2026
Last modified:
17/07/2026
Description
Chat2DB before 5.3.0 contains an insecure direct object reference vulnerability in the GET /api/connection/datasource/{id} endpoint. The handler calls dataSourceService.queryExistent(id, ...) without an ownership check and returns the decrypted password field, allowing any authenticated non-admin user to enumerate datasource IDs and read the plaintext database credentials of datasources owned by other users.
Impact
Base Score 4.0
7.10
Severity 4.0
HIGH
Base Score 3.x
6.50
Severity 3.x
MEDIUM



