CVE-2026-3693
📋 TL;DR
This vulnerability in Shy2593666979 AgentChat allows attackers to manipulate user_id parameters in user information functions, enabling unauthorized access or modification of user data. It affects AgentChat versions up to 2.3.0 and can be exploited remotely without authentication.
💻 Affected Systems
- Shy2593666979 AgentChat
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access, modify, or delete all user accounts and sensitive data, potentially leading to complete system compromise.
Likely Case
Unauthorized access to user information, privilege escalation, or data manipulation affecting multiple users.
If Mitigated
Limited impact with proper input validation and access controls in place.
🎯 Exploit Status
Exploit has been published and may be used. Attack can be initiated remotely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Vendor was contacted but did not respond. Consider upgrading to any version above 2.3.0 if available.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for user_id parameter to prevent manipulation
Implement parameter validation in /src/backend/agentchat/api/v1/user.py
Access Control Enhancement
allAdd session-based or token-based authentication checks before processing user_id
Add authentication middleware to user endpoint functions
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block suspicious user_id parameter manipulation
- Restrict network access to AgentChat endpoints to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check if AgentChat version is ≤2.3.0 and review /src/backend/agentchat/api/v1/user.py for proper user_id validationCheck Version:
Check package version or review application configuration filesVerify Fix Applied:
Test user endpoint functions with manipulated user_id parameters to ensure proper access controls📡 Detection & Monitoring
Log Indicators:
- Unusual user_id parameter values in API requests
- Failed authentication attempts followed by successful user data access
Network Indicators:
- Unusual patterns of requests to /api/v1/user endpoints
- Requests with manipulated user_id parameters
SIEM Query:
source="agentchat" AND (uri_path="/api/v1/user" AND (param_user_id CONTAINS ".." OR param_user_id MATCHES "[^0-9]"))