Skip to main content

stoatchat CVE-2025-71388

| EUVDEUVD-2025-210476 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-16 VulnCheck GHSA-9hv3-3cv6-jrx3
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable REST endpoint (AV:N/AC:L) abusable by any authenticated read-only member (PR:L, no UI); token disclosure gives C:H and impersonated posting gives I:H, with no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 16, 2026 - 13:22 vuln.today
Analysis Generated
Jul 16, 2026 - 13:22 vuln.today
CVE Published
Jul 16, 2026 - 12:19 cve.org
HIGH 7.6

DescriptionCVE.org

stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1 allow users with only ViewChannel (read) permission on a channel to fetch that channel's webhooks, including their tokens, because the webhook fetch endpoint checked for ViewChannel instead of ManageWebhooks. Using a retrieved token, an attacker can send arbitrary messages to the channel, bypassing channel permissions and impersonating a bot or webhook. Fixed in 20250210-1 (0.8.2).

AnalysisAI

Webhook token disclosure in stoatchat (the Rust 'delta' backend of the Revolt/stoatchat platform) lets any channel member holding only ViewChannel (read) permission enumerate a channel's webhooks and read their secret tokens. Because a retrieved token authorizes posting, the attacker can then inject arbitrary messages while impersonating a bot or webhook, bypassing the channel's ManageWebhooks and posting permissions. Reported by VulnCheck and fixed in 20250210-1 (0.8.2); no public exploit identified at time of analysis.

Technical ContextAI

stoatchat is the current name for the delta/Revolt self-hosted chat platform; the flaw is in the delta backend's REST route crates/delta/src/routes/channels/webhook_fetch_all.rs. The endpoint enforced the wrong authorization predicate, calling throw_if_lacking_channel_permission(ChannelPermission::ViewChannel) instead of ChannelPermission::ManageWebhooks. This is a textbook CWE-639 (Authorization Bypass Through User-Controlled Key / improper object-level authorization): a privileged resource (the webhook object, which embeds a bearer-style token) is exposed to any principal who can merely view the channel. Webhook tokens in this model are capability secrets - possession alone grants message-send rights - so leaking them collapses the separation between read and write permissions.

RemediationAI

Vendor-released patch: upgrade to stoatchat 20250210-1 (0.8.2) or later, which corrects the permission check to require ManageWebhooks (fix commit https://github.com/stoatchat/stoatchat/commit/e3723d647effb81ea3d3919d848faf64dbe89829, advisory https://github.com/stoatchat/stoatchat/security/advisories/GHSA-8684-rvfj-v3jq). Because any exposed token is a durable secret, patching alone is insufficient: after upgrading, rotate/regenerate all webhook tokens for channels that had readers who could have called the fetch endpoint, since previously leaked tokens remain valid. As an interim control on unpatched instances, minimize or remove ViewChannel grants on channels that host webhooks and audit which webhooks exist on sensitive channels; the trade-off is reduced read access for ordinary members. Monitor message metadata for unexpected webhook/bot posts to detect abuse of already-leaked tokens.

Share

CVE-2025-71388 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy