Authorization Bypass Vulnerability in DeepTutor Affects User Privileges
CVE-2026-58168

7.7HIGH

Key Information:

Vendor: Hkuds
Status: Deeptutor
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-58168?

DeepTutor, prior to version 1.4.10, suffers from an authorization bypass vulnerability that permits low-privilege users to access unrestricted MCP tools. This flaw arises due to the allowed_mcp_tools function returning None in cases where mcp_tools is not included in a user's permissions. As a result, an attacker or malicious content executed within a user session can access and utilize any configured MCP tool, such as filesystem, shell, and browser servers, thereby compromising sensitive resources in the deployment environment.

Affected Version(s)

DeepTutor 0 < 1.4.10

References

https://github.com/HKUDS/DeepTutor/releases/tag/v1.4.10

release-notes

https://github.com/HKUDS/DeepTutor/pull/579

issue-tracking

https://github.com/HKUDS/DeepTutor/commit/90046374b3dcd4f...

patch

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 29, 2026

Credit

Chia Min Jun Lennon

CVE-2026-58168 Data

JSON

Hkuds

What is CVE-2026-58168?

Affected Version(s)

References

CVSS V4

Timeline

Credit