Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible, low-complexity; authenticated low-privileged user (PR:L) exploits missing authorization check with no victim interaction required; no availability impact observed.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A flaw has been found in khoj-ai khoj up to 2.0.0-beta.28. This impacts an unknown function of the file src/khoj/routers/api_chat.py of the component Conversation Sharing Handler. This manipulation of the argument conversation.agent causes incorrect authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
AnalysisAI
Incorrect authorization in khoj's Conversation Sharing Handler exposes private agent configurations to authenticated low-privileged users in versions up to 2.0.0-beta.28. The conversation.agent parameter is passed through shared conversation copy paths in src/khoj/routers/api_chat.py without verifying the requesting user's permission to access that agent, allowing leakage of private agent personality instructions and system prompts across trust boundaries. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be an authenticated, low-privileged user on a multi-user khoj deployment running version 2.0.0-beta.28 or earlier (confirmed by PR:L in the CVSS 4.0 vector - unauthenticated exploitation is not possible). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 2.0 is low, reflecting limited per-axis impact (VC:L/VI:L/VA:L, no subsequent-system impact) and the requirement for authenticated low-privileged access (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user on a shared khoj deployment obtains a public conversation link for a conversation that a different user created while using a private agent. By accessing that shared conversation URL, the attacker triggers create_conversation_from_public_conversation, which - without the fix - directly assigns the private agent to the new conversation copy without an authorization check. … |
| Remediation | No officially released patched version has been confirmed at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40005
GHSA-5f46-vq6x-rmc9