| Title | HKUDS AI-Trader 1.0 Information Disclosure |
|---|
| Description | The AI-Trader platform exposes a research-oriented data export endpoint that allows any unauthenticated user to download the full database of registered agents. The exported data includes internal Agent IDs and precise financial balances. While some fields attempt anonymization via hashing, the lack of an authentication gate allows for bulk data scraping and competitive intelligence gathering by unauthorized actors.
Missing Authentication Gate (CWE-306) The router handling research exports at /api/research/agents.csv is not protected by the JWTBearer dependency used elsewhere in the application. Consequently, the server does not challenge the requester for a valid session token before streaming the database contents.
Furthermore, the endpoint supports a query parameter anonymize=false. When this is set, the server exports raw financial data. While the names are represented as SHA-256 hashes, the financial integrity of every user on the platform is exposed in plaintext.
Vulnerable Data Flow:
Attacker sends a standard GET request to the research endpoint.
The backend service executes a SELECT * query on the agents table.
The service formats the result as a Comma Separated Values (CSV) file.
The server returns the file with a 200 OK status without verifying the requester's identity. |
|---|
| Source | ⚠️ https://github.com/Dave-gilmore-aus/security-advisories/blob/main/AI-Trader-Unauthenticated%20Sensitive%20Data%20Exposure%20in%20Research%20Export%20(CVE-Pending).md |
|---|
| User | davidgilmore (UID 96940) |
|---|
| Submission | 05/15/2026 00:05 (1 month ago) |
|---|
| Moderation | 06/14/2026 13:51 (1 month later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370846 [HKUDS AI-Trader up to 74caf996f78dcc0c657df8365c8544678a16e215 Research Export /api/research/agents.csv information disclosure] |
|---|
| Points | 20 |
|---|