CVE-2026-57476
Deloitte AI Assist for Customer unauthenticated RAG corpus read and write
Vexday Risk Score
10Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.3EPSS —KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
10 Jul 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Deloitte AI Assist for Customer exposed unauthenticated API endpoints that allowed an attacker with knowledge of additional parameters to read from or inject content into the retrieval-augmented generation (RAG) corpus. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
Deloitte · AI Assist for CustomerReferences
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-191-01.jsonhttps://www.cve.org/CVERecord?id=CVE-2026-57474https://zerotolerance.me/advisories/assets/VU487875-deloitte-ascend-advisory.pdfhttps://zerotolerance.me/advisories/deloitte-aiassist-ascend-2026-vu487875/