Coordinated Disclosure · VU#487875

Multiple Vulnerabilities in Deloitte AI Assist Ascend Platform - five CVE classes, six tenants, published at Day 63 disposition checkpoint

CRITICAL HIGH FINAL CERT/CC Coordinated

VU#487875 · Published May 18, 2026 · Day 63 disposition checkpoint

Vendor
Deloitte Touche Tohmatsu Limited
Product
Deloitte AI Assist (Ascend Platform)
CVSS v3.1 (Highest)
9.1 CRITICAL
Researcher
Karim El Labban, ZERO|TOLERANCE Security Research
2
Critical
3
High
6
Tenants
59
Items Tracked
Section 01

Canonical Artifact

The canonical artifact for this advisory is the PGP-signed PDF below. The HTML content on this page is a reading surface for vendors, SBIR/contract evaluators, search engines, and accessibility tooling; the PDF is the load-bearing, cryptographically-signed reference. Hash and signature pin the PDF bytes; CERT/CC VINCE case archives provide an independent trust anchor.

Canonical Artifact
deloitte-aiassist-ascend-2026-vu487875.pdf 213 KB
SHA-256 a4782149ccdeed643a4d8f4a265b0f8e9016fb695708034930af2d417e67ab07
Signature PGP detached signature (.asc)
Signing Key 7171 FB9C 2AEA 69B9 FE4F 053F 7BD7 1863 418D C1BE
Key On keys.openpgp.org / /.well-known/pgp-key.txt
Verify
gpg --verify deloitte-aiassist-ascend-2026-vu487875.pdf.asc deloitte-aiassist-ascend-2026-vu487875.pdf
Section 02

Executive Summary

ZERO|TOLERANCE Security Research identified five classes of high-severity vulnerabilities in Deloitte's AI Assist platform (internally branded Ascend), an enterprise AI/ML workflow product delivered as multi-tenant SaaS to Fortune 500 clients. The vulnerabilities were observed in every assessed tenant deployment (6 of 6), including Deloitte's own production and development environments.

Findings include unauthenticated access to Keycloak administrative consoles across six production tenants, twelve backend API endpoints exposed without authentication on the primary assessment subject, server-side request forgery via configuration injection, password-grant authentication exposed on public OAuth clients with no rate limiting, and unauthenticated access to retrieval-augmented generation (RAG) document corpora with confirmed write-path for content poisoning.

All findings are exploitable from the public internet using only standard HTTP requests. No credentials, no authentication bypass, no exploitation primitives are required. The vulnerabilities were verified via passive reconnaissance and read-only API interaction. Reassessment activity across Day 3/4 (2026-03-19), Day 8 (2026-03-24), and Day 63 (2026-05-16) records a divergent remediation posture by environment: substantial decommission and rebuild work at five of six client environments, an active regression at the production Keycloak layer, and one architectural defect (password grant on public OAuth clients) that remains unfixed at Day 63.

Highest CVSS: 9.1 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:C). Exploitation status: no known in-the-wild exploitation observed by ZERO|TOLERANCE Security Research.

Section 03

Affected Components

Deloitte AI Assist platform (Ascend), deployed across the following observed tenants. Each tenant operates as an independent multi-tenant slice of the shared platform infrastructure. Each tenant operates a dedicated Keycloak identity instance, Azure API Management gateway, and backend service mesh, all internet-exposed at the time of initial disclosure.

TenantDeploymentSectorStatus
Primary assessment subjectClient productionMedical device manufacturingUnauthenticated access verified
Additional Fortune 500 tenant AClient productionHealthcare deviceCross-tenant API access verified
Additional Fortune 500 tenant BClient productionAutomotive aftermarketCross-tenant API access verified
Additional Fortune 500 tenant CClient productionSleep medicineCross-tenant API access verified
Deloitte ProductionInternalN/AUnauthenticated access verified
Deloitte Dev/QA/PreProdInternalN/AUnauthenticated access verified

Affected versions. This is a vendor-operated SaaS platform; no customer-installable versions apply. Scope is bounded by the Day 0 (2026-03-13) through Day 63 (2026-05-16) observation window.

Tenant identification. Tenant identities for A, B, and C are documented in CERT/CC VINCE case materials and available to the coordinator for vendor notification. This advisory presents corroborating tenant evidence in sector form to demonstrate the tenant-model defect without expanding incident disclosure beyond the primary assessment scope. Notification of affected tenants is a vendor responsibility under coordinated vulnerability disclosure norms.

Section 04

Vulnerability Overview

CVE-2026-TBD-001 7.5 HIGH

Unauthenticated Keycloak Administrative Console Exposure

CWE
CWE-306 Missing Authentication for Critical Function
Vector
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Component
Keycloak instances backing each AI Assist tenant
Instances
6 (one per tenant)

Description. Six Keycloak administrative consoles backing the AI Assist platform return HTTP 200 to unauthenticated requests on the public internet. Each console serves a distinct production tenant and exposes identical resource hashes across the population, indicating a shared deployment template that propagates the misconfiguration to every new tenant onboarded to the platform.

Impact. An unauthenticated remote attacker can enumerate realm configurations, observe OIDC client identifiers, and identify the full grant-type catalog supported by each realm. Combined with CVE-2026-TBD-004 (password grant), this provides the prerequisites for credential brute-force against the production identity plane.

CVE-2026-TBD-002 9.1 CRITICAL

Unauthenticated Backend API Endpoints

CWE
CWE-306 Missing Authentication for Critical Function
Vector
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Component
Backend services (auth-service, app-config, rag-service) behind Azure APIM
Endpoints
12 on primary tenant; cross-tenant access verified on 4 additional tenant gateways

Description. Twelve backend API endpoints across three services accept unauthenticated requests via the public Azure API Management gateway. The same endpoint pattern returns identical unauthenticated responses on the API Management gateways of all four additional tenants, confirming the deficiency is shared across the tenant population rather than localized to the primary assessment subject.

Authentication control verified. The corresponding v2 endpoint (/auth-service/v2/manage/user/all) correctly returns HTTP 401 to identical unauthenticated requests, confirming the v1 endpoints lack authentication by configuration deficiency, not platform-wide auth absence.

CVE-2026-TBD-003 8.1 HIGH

Server-Side Request Forgery via Configuration Injection

CWE
CWE-918 Server-Side Request Forgery
Vector
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
Component
/app-config/v1/config/get-instance write-path
Confirmation
Two records with corroborated HTTP capture (id:9, id:10); two further records (id:11, id:12) described in technical-delivery drafts without contemporaneous capture; asymmetry of evidence noted in disclosure

Description. The configuration write-path accepts unauthenticated POST requests that persist arbitrary base_url values into the production configuration store. The base_url field is consumed by downstream RAG and integration services that issue server-side HTTP requests to the configured URL.

Impact. An unauthenticated remote attacker can redirect downstream service-to-service requests to attacker-controlled infrastructure, capture authentication tokens issued by the platform to integration partners, and pivot to internal-only services reachable from the backend service mesh.

CVE-2026-TBD-004 8.1 HIGH

Password Grant on Public OAuth Clients Without Rate Limiting

CWE
CWE-521 Weak Password Requirements (paired with CWE-307 missing brute-force protection)
Vector
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Component
Keycloak OIDC clients (web-app-client, admin-cli) across multiple realms
Instances
6+ realms (one per tenant plus master realms)

Description. The OIDC configuration for the AI Assist platform exposes seven grant types on the public OAuth client, including password (Resource Owner Password Credentials) and implicit. The admin-cli client is active on the master realm of multiple instances. Password-grant requests against web-app-client and admin-cli produce "Invalid user credentials" responses, confirming the grant type is processed by the identity plane. No rate-limiting was observed on the public endpoint.

Impact. Combined with CVE-2026-TBD-002 (user enumeration via token-fetch), an unauthenticated remote attacker can enumerate valid usernames against the production identity plane and then brute-force credentials against those accounts without rate limiting. Successful credential capture yields full identity-plane access including the administrative API surface accessible to admin-cli.

CVE-2026-TBD-005 9.1 CRITICAL

Unauthenticated RAG Corpus Access and Content Poisoning

CWE
CWE-639 Authorization Bypass Through User-Controlled Key
Vector
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Component
rag-service endpoints (retrieval + file-content-retrieval + general-content-file-ingestion)
Confirmation
Three RAG endpoints respond to unauthenticated POST requests

Description. Three retrieval-augmented generation (RAG) endpoints accept unauthenticated requests against the production RAG corpus. The retrieval and file-content-retrieval endpoints expose stored document content; the general-content-file-ingestion endpoint provides a write-path into the corpus.

Impact - two distinct attacker primitives:

  1. Exfiltration. An unauthenticated remote attacker can query and retrieve any document indexed in the production RAG corpus across affected tenants.
  2. Poisoning. An unauthenticated remote attacker can ingest arbitrary content into the production RAG corpus, which is then returned to authorized end-users as authoritative reference material via the platform's AI-generated outputs.

Full per-CVE detail including endpoint inventories, HTTP capture evidence, and resource-hash verification across the reassessment cycle is documented in the canonical PDF advisory.

Section 05

Coordination Timeline

DateEvent
2026-03-12 to 2026-03-13Initial assessment of Deloitte internet-facing infrastructure (passive reconnaissance)
2026-03-13Direct disclosure to Deloitte Canada Chief Information Security Officer
2026-03-19Day 3/4 post-disclosure reassessment: zero remediation observed
2026-03-20Day 7 observation: six Keycloak administrative consoles return HTTP 404 (network-layer restriction applied)
2026-03-24Day 8 post-disclosure reassessment: five APIM gateways unreachable / firewalled; six Keycloak admin consoles confirmed 404; ~46 items moved to "not externally verifiable" state
2026-04-17CERT/CC case opened (VU#487875)
2026-04-21CISA Vulnerability Response Coordination engaged; case migrated to CISA VRC
2026-04-29Reassessment supplements uploaded to VINCE Documents
2026-05-08Vendor (Deloitte Ascend Platform) engaged on case coordination thread
2026-05-12Publication anchor proposed at 2026-05-18 via coordination thread
2026-05-16Day 63 post-disclosure reassessment: divergent remediation posture recorded
2026-05-18Public disclosure (this advisory)

Publication on Day 63 follows the early coordinated close provision in ZT Disclosure Policy v1.6 ยง4.

Coordination stance. This advisory was published on the date proposed via the CERT/CC coordination thread (2026-05-12) and accepted on-thread.

Section 06

Day 63 Disposition

Reassessments were conducted at Day 3/4 (2026-03-19), Day 8 (2026-03-24), and Day 63 (2026-05-16) post-disclosure, each applying the same passive-reconnaissance methodology used in the original assessment. Between Day 8 and Day 63 the remediation picture diverged sharply by environment. Findings break into four buckets:

Bucket 5.1 42 items

Remediated and Externally Verified

Items remediated to a stronger state than the Day 8 perimeter posture, with remediation independently verifiable from the public internet. Includes 5 of 6 Keycloak admin consoles decommissioned (NXDOMAIN), 5 of 5 APIM gateways removed (NXDOMAIN), all 12 backend API endpoints closed at the network layer or with application-layer auth enforcement (1 endpoint confirmed HTTP 401 on retopologized prod APIM), and client-side config bundles returning 404 on the reachable frontends. First externally-observable evidence of genuine application-layer authentication enforcement on a previously-unauthenticated endpoint.

Bucket 5.2 13 items

Not Externally Verifiable Post-Fix

Items moved into a state where internal application-layer remediation status cannot be assessed from external reconnaissance. The infrastructure rebuilds on Azure Private Link are not publicly reachable, so OIDC grant-type configuration, admin-cli master-realm posture, the unauthenticated endpoint inventory, and identity-token-theft vector status cannot be probed externally. Underlying defects may have been addressed, may have been carried into the rebuilt infrastructure, or may have been mooted by the decommission. External methodology cannot distinguish.

Bucket 5.3 2 items

Regressed Since Day 8

The production Keycloak administrative console (ai-assist2prd-keycloak-contapp1.[...].azurecontainerapps.io, full FQDN in canonical PDF) returned HTTP 404 at Day 8 (network-layer restriction); at Day 63 it returns HTTP 200 with full Keycloak Administration Console served. The resource version identifier 8yof5 served at Day 63 matches the identifier captured in original 2026-03-13 reconnaissance - the instance is in the same configuration state as Day 0.

Bucket 5.4 2 items

Never Remediated

The architectural design choice to expose the OAuth Resource Owner Password Credentials grant type on the public web-app-client, paired with the implicit grant type and the absence of observed rate limiting on the public endpoint, is present at the production Keycloak at both Day 0 and Day 63, with no public-internet-boundary fix applied at any point in the reassessment cycle.

Disposition Scorecard by Category

Category Items Remediated Opaque Regressed Never Fixed
Keycloak administrative console exposure65010
Password grant on public OAuth client6+05+01
Master realm admin-cli active30201
Unauthenticated backend API endpoints1212000
User enumeration via gateway55000
Identity token theft vectors33000
Configuration injection / SSRF11000
RAG document access and poisoning33000
Keycloak version patching65010
Client-side config bundle exposure53200
Container identity disclosure55000
Injected test record cleanup (id:9-12)40400
TOTAL 59 42 13 2 2

Full 59-item findings annex with per-item evidentiary status and reassessment captures available in Appendix A of the canonical PDF.

Section 07

Mitigation Guidance

The following mitigations apply to the vendor and to any organization operating a multi-tenant identity-fronted SaaS platform with comparable architecture.

Immediate (within 24 hours)

  • Restrict Keycloak administrative console access to authenticated administrative networks only. Block public-internet access at the load balancer or Azure Application Gateway layer.
  • Disable the password grant type across all public-facing OAuth clients. Disable implicit grant.
  • Disable admin-cli access on master realms. If admin-cli is required operationally, restrict to internal-only network reachability.
  • Enforce authentication on all /auth-service/v1/manage/*, /app-config/v1/config/*, and /rag-service/v1/rag/* endpoints at the API Management gateway layer.
  • Audit Keycloak realm exports for unauthorized OIDC clients added during the exposure window.

Within 7 days

  • Audit the production configuration store for unauthorized records, including the test records in the id:9 through id:12 range.
  • Implement rate-limiting and account-lockout policies on the identity plane.
  • Audit the RAG corpus for unauthorized ingested content.

Within 30 days

  • Reassess the multi-tenant deployment template that propagates these defects across new tenant onboarding.
  • Implement authentication-by-default policy for all internal service-to-service communication.
  • Conduct third-party verification of remediation against the 59-item tracked inventory, with particular attention to Bucket 5.3 (regressed production Keycloak) and Bucket 5.4 (architectural password-grant defect).

Detection Guidance

  • API Management gateway logs: review for unauthenticated 2xx responses on the endpoint patterns listed in CVE-2026-TBD-002.
  • Keycloak administrative console access logs: review for sessions originating from non-administrative networks during the exposure window.
  • Configuration store audit: query for base_url values not matching the operator's allowlist of permitted integration partners.
  • RAG corpus audit: review ingested documents for content lacking expected client-origin metadata during the exposure window.
Section 08

References & Acknowledgments

References

Acknowledgments

Coordinated through CERT/CC VINCE (VU#487875). CISA Vulnerability Response Coordination engaged as of 2026-04-21 (ANALYGENCE / CISA VRC).

This advisory was prepared by Karim El Labban, ZERO|TOLERANCE Security Research. The findings were validated via passive reconnaissance and read-only API interaction. No credentials were used, created, or brute-forced. No data was exfiltrated beyond what was returned in standard HTTP responses to unauthenticated requests. All testing was conducted from a single attribution-clean IP. Test artifacts are documented in CERT/CC case materials.

For coordinated disclosure inquiries or to verify advisory integrity, contact security@zerotolerance.me. Public key 0x7BD71863418DC1BE is published on keys.openpgp.org and at /.well-known/pgp-key.txt.

← Back to Advisories Index