Cyber Resilience

CVE-2026-3693

Medium

Published: 08 March 2026

Published
08 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 7.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3693 is a medium-severity Resource Injection (CWE-99) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3693 is a vulnerability in Shy2593666979 AgentChat versions up to 2.3.0, affecting the get_user_info and update_user_info functions in the file /src/backend/agentchat/api/v1/user.py within the User Endpoint component. The flaw stems from improper control of resource identifiers (CWE-99), triggered by manipulation of the user_id argument.

The vulnerability enables remote exploitation by unauthenticated attackers (PR:N) with low attack complexity (AC:L) and no user interaction (UI:N), yielding a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Attackers can achieve low impacts on confidentiality, integrity, and availability, likely allowing unauthorized access, modification, or disruption of user resources by bypassing identifier controls.

Advisories note that the vendor was contacted early regarding this disclosure but provided no response, with no patches or mitigations mentioned. Exploits have been published and are available in GitHub repositories such as https://github.com/CC-T-454455/Vulnerabilities/tree/master/agent-chat/vulnerability-1 and https://github.com/CC-T-454455/Vulnerabilities/tree/master/agent-chat/vulnerability-2, alongside details on VulDB at https://vuldb.com/?ctiid.349640, https://vuldb.com/?id.349640, and https://vuldb.com/?submit.765589.

EU & UK References

Vulnerability details

A flaw has been found in Shy2593666979 AgentChat up to 2.3.0. This issue affects the function get_user_info/update_user_info of the file /src/backend/agentchat/api/v1/user.py of the component User Endpoint. This manipulation of the argument user_id causes improper control of resource identifiers. It is…

more

possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote exploitation of a public-facing web API endpoint (user.py get/update functions) via resource identifier manipulation (IDOR/CWE-99) directly matches T1190 for gaining unauthorized access or performing modifications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-57971Shared CWE-99
CVE-2025-1642Shared CWE-99
CVE-2023-6605Shared CWE-99
CVE-2024-5706Shared CWE-99

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on user_id before allowing get_user_info or update_user_info operations, blocking the CWE-99 identifier manipulation.

prevent

Requires validation of the user_id input parameter to ensure it references only resources the authenticated caller is permitted to access.

prevent

Mandates proper issuance and binding of user identifiers so that resource IDs cannot be arbitrarily supplied or guessed by remote attackers.

References