Skip to main content

DeepMyst Mysti CVE-2026-13591

| EUVDEUVD-2026-40153 LOW
Incorrect Privilege Assignment (CWE-266)
2026-06-29 cna@vuldb.com GHSA-4pqr-v6c3-x77j
1.3
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.0 MEDIUM

Network-reachable but requires authenticated low-privilege session (PR:L) and high complexity (AC:H); limited low-level CIA impact with no scope change.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 17:32 vuln.today

DescriptionCVE.org

A weakness has been identified in DeepMyst Mysti 0.4.0. Affected is the function _isTrackedConversation of the file src/managers/ChannelBridge.ts of the component Contact Tracking. This manipulation of the argument _channelType causes improper authorization. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit has been made available to the public and could be used for attacks. Patch name: 9b4aff0f106db424aa45a35aa89dd0b8f2eb9a48. It is suggested to install a patch to address this issue.

AnalysisAI

Improper authorization in DeepMyst Mysti 0.4.0 permits authenticated remote attackers to bypass access controls in the Contact Tracking component by supplying a manipulated _channelType argument to the _isTrackedConversation function in src/managers/ChannelBridge.ts. The CVSS 4.0 score of 1.3 reflects genuine low severity - all CIA impacts are rated Low and no subsequent system scope is affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Identify Contact Tracking API endpoint
Exploit
Enumerate exploitable _channelType values
Execution
Submit crafted request to _isTrackedConversation
Persist
Bypass improper authorization check
Impact
Access unauthorized conversation or contact tracking data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session with at least low-privilege access to the DeepMyst Mysti application (confirmed by PR:L in the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 score of 1.3 accurately reflects a low-severity finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege authenticated session remotely submits a crafted request to the Contact Tracking endpoint, supplying a manipulated `_channelType` value that the `_isTrackedConversation` function fails to properly authorize. The authorization bypass allows the attacker to access conversation tracking records or contact metadata outside their permitted scope. …
Remediation Apply the upstream fix via Git commit 9b4aff0f106db424aa45a35aa89dd0b8f2eb9a48, available at https://github.com/DeepMyst/Mysti/commit/9b4aff0f106db424aa45a35aa89dd0b8f2eb9a48, and monitor the associated pull request at https://github.com/DeepMyst/Mysti/pull/43 for a formally tagged release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13591 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy