Cyber Resilience

CVE-2026-5320

Medium

Published: 02 April 2026

Published
02 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0008 24.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5320 is a medium-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2026-5320 is a missing authentication vulnerability affecting vanna-ai vanna versions up to 2.0.2. The issue resides in an unknown functionality within the /api/vanna/v2/ file of the Chat API Endpoint component. Manipulation of this endpoint bypasses required authentication checks, as classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function). The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-04-02.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation grants limited impact on confidentiality, integrity, and availability, potentially allowing unauthorized access to chat API functions.

Advisories reference disclosure details but note that the vendor was contacted early without any response, and no patches or mitigations are mentioned. Relevant URLs include https://github.com/August829/CVEP/issues/13, https://vuldb.com/submit/780727, https://vuldb.com/vuln/354652, and https://vuldb.com/vuln/354652/cti.

The exploit is public and publicly available for use, with vanna-ai's AI-driven nature potentially exposing deployments in data querying or analytics environments to unauthorized API interactions.

EU & UK References

Vulnerability details

A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is an unknown functionality of the file /api/vanna/v2/ of the component Chat API Endpoint. Performing a manipulation results in missing authentication. The attack can be initiated…

more

remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication vulnerability in public-facing Chat API endpoint directly enables remote exploitation without credentials, mapping to T1190 for initial access to the application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44847Shared CWE-287, CWE-306
CVE-2026-5616Shared CWE-287, CWE-306
CVE-2026-7042Shared CWE-287, CWE-306
CVE-2025-58443Shared CWE-287, CWE-306
CVE-2025-11942Shared CWE-287, CWE-306
CVE-2026-6577Shared CWE-287, CWE-306
CVE-2026-27584Shared CWE-306
CVE-2026-6582Shared CWE-287, CWE-306
CVE-2026-6129Shared CWE-287, CWE-306
CVE-2026-5676Shared CWE-287, CWE-306

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations including authentication on the Chat API endpoint to prevent unauthorized remote manipulation.

prevent

Requires identification and authentication interfaces for public access protections on vulnerable web API endpoints like /api/vanna/v2/.

prevent

Monitors and controls communications at external boundaries to block unauthenticated access to the remote Chat API endpoint.

References