CVE-2026-25729
📋 TL;DR
DeepAudit versions 3.0.4 and earlier contain an improper access control vulnerability in the /api/v1/users/ endpoint that allows any authenticated user to enumerate all system users and retrieve sensitive personal information. This affects all deployments of DeepAudit 3.0.4 and earlier where the API is accessible.
💻 Affected Systems
- DeepAudit
📦 What is this software?
Deepaudit by Lintsinghua
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest sensitive user data (emails, phone numbers, roles) for targeted phishing, social engineering, or credential stuffing attacks, potentially leading to account compromise and privilege escalation.
Likely Case
Authenticated users (including low-privilege accounts) can access the complete user directory, exposing PII and organizational structure information.
If Mitigated
With proper access controls, only authorized administrators can access user information, limiting exposure to sensitive data.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial via simple HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit b2a3b26579d3fdbab5236ae12ed67ae2313175fd
Vendor Advisory: https://github.com/lintsinghua/DeepAudit/security/advisories/GHSA-vmmm-48w2-q56q
Restart Required: Yes
Instructions:
1. Update to the latest DeepAudit version containing commit b2a3b26579d3fdbab5236ae12ed67ae2313175fd. 2. Restart the DeepAudit service. 3. Verify the fix by testing user enumeration.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to the /api/v1/users/ endpoint using firewall rules or web application firewalls.
iptables -A INPUT -p tcp --dport <api_port> -m string --string "/api/v1/users/" --algo bm -j DROP
Authentication Bypass Prevention
allImplement additional authorization checks at the application level or proxy layer.
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to the DeepAudit API to authorized users only.
- Deploy a web application firewall (WAF) with rules to block requests to the vulnerable endpoint.
🔍 How to Verify
Check if Vulnerable:
As an authenticated user, send a GET request to /api/v1/users/ and check if it returns user data beyond your own.Check Version:
Check DeepAudit version in web interface or configuration files, or run: grep -i version /path/to/deepaudit/config/*Verify Fix Applied:
After patching, authenticated users should receive 403 Forbidden or only see their own data when accessing /api/v1/users/.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /api/v1/users/ from single user
- Unusual user enumeration patterns in access logs
Network Indicators:
- HTTP traffic to /api/v1/users/ endpoint with successful (200) responses
SIEM Query:
source="deepaudit_logs" AND uri_path="/api/v1/users/" AND http_method="GET" AND status_code=200 | stats count by src_ip