AgentChat 2.3.0 /api/v1/user/info weak password hash

Summaryinfo

A vulnerability labeled as problematic has been found in AgentChat 2.3.0. Affected by this vulnerability is an unknown functionality of the file /api/v1/user/info. Executing a manipulation can lead to weak password hash. This vulnerability is registered as CVE-2026-36719. No exploit is available.

Detailsinfo

A vulnerability classified as problematic was found in AgentChat 2.3.0. This vulnerability affects an unknown part of the file /api/v1/user/info. The manipulation with an unknown input leads to a weak password hash vulnerability. The CWE definition for the vulnerability is CWE-916. The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. As an impact it is known to affect confidentiality. CVE summarizes:

An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs.

The advisory is shared for download at github.com. This vulnerability was named CVE-2026-36719 since 04/06/2026. The exploitation appears to be easy. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1552.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Chat Software

Name

• AgentChat

Version

• 2.3.0

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion