CVE-2026-25729 identifies an improper authorization vulnerability (CWE-863) in lintsinghua's DeepAudit product, a multi-agent system designed for code vulnerability discovery. Specifically, in versions 3.0.4 and earlier, the /api/v1/users/ REST API endpoint lacks adequate access control, allowing any authenticated user to enumerate all users registered in the system. This enumeration exposes sensitive personal information including email addresses, phone numbers, full names, and role assignments. The vulnerability does not require elevated privileges beyond authentication, nor does it require user interaction, making it relatively easy for authenticated users to exploit. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality (C:L), with no impact on integrity or availability. Although the vulnerability does not directly compromise system integrity or availability, the leakage of user data can facilitate further attacks such as targeted phishing, social engineering, or privilege escalation attempts if combined with other vulnerabilities. No public exploits or active exploitation have been reported to date. The lack of a patch link suggests that users should seek vendor updates or implement compensating controls. This vulnerability highlights the importance of strict access control enforcement on sensitive API endpoints in security tools that manage user data.

For European organizations, the primary impact of CVE-2026-25729 is the unauthorized disclosure of sensitive user information within DeepAudit deployments. This can undermine user privacy and potentially violate GDPR requirements if personal data such as email addresses and phone numbers are exposed without proper consent or safeguards. The information leakage could enable attackers or malicious insiders to conduct targeted phishing campaigns or social engineering attacks, increasing the risk of credential compromise or lateral movement within networks. Although the vulnerability does not directly affect system integrity or availability, the exposure of role information may reveal organizational structure and privilege levels, aiding attackers in planning further attacks. Organizations heavily reliant on DeepAudit for vulnerability management or software security auditing may face increased risk if attackers leverage this information. The low CVSS score reflects limited direct damage, but the indirect risks to confidentiality and compliance are notable. European companies with strict data protection obligations must address this vulnerability promptly to avoid regulatory penalties and reputational damage.

To mitigate CVE-2026-25729, European organizations should first upgrade DeepAudit to a version later than 3.0.4 once available, as vendor patches or updates will likely address the improper authorization flaw. Until a patch is applied, organizations should implement strict access control policies on the /api/v1/users/ endpoint, restricting access only to trusted administrative users or service accounts. Network segmentation and firewall rules can limit API access to authorized personnel and systems. Additionally, monitoring and logging API access patterns can help detect unusual enumeration attempts. Organizations should review user roles and permissions within DeepAudit to ensure the principle of least privilege is enforced. Conducting internal audits to identify any unauthorized data access is advisable. Finally, employee awareness training on phishing and social engineering risks should be enhanced, given the potential for exposed user data to facilitate such attacks. If vendor patches are unavailable, consider disabling or restricting the vulnerable API endpoint temporarily as a last resort.