Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/<ID>/'.
AnalysisAI
An incorrect authorization vulnerability in HiJiffy Chatbot allows unauthenticated attackers to download private messages from arbitrary users by manipulating the 'ID' parameter in the '/api/v1/download/<ID>/' endpoint. This is a classic authorization bypass enabling unauthorized access to sensitive conversation data. No public exploit code or active exploitation has been identified at the time of analysis, though the vulnerability was reported by INCIBE and affects all versions of HiJiffy Chatbot. The exposure is direct and requires only network access to the affected API endpoint.
Technical ContextAI
The vulnerability resides in the HiJiffy Chatbot application (CPE: cpe:2.3:a:hijiffy:hijiffy_chatbot:*:*:*:*:*:*:*:*), which is a web-based conversational AI platform. The root cause is classified as CWE-863 (Incorrect Authorization), indicating the application fails to enforce proper access controls when users request to download message archives. The '/api/v1/download/<ID>/' API endpoint accepts a user-supplied ID parameter without sufficient validation or authorization checks to confirm the requesting user owns or has permission to access the specified conversation data. This is a typical broken access control flaw where the API trusts client-supplied identifiers to retrieve sensitive resources without verifying the requestor's relationship to those resources.
RemediationAI
Contact HiJiffy immediately to obtain a vendor-released patch or security update addressing the authorization bypass. Implement the fix in your deployment as soon as it becomes available. Pending patch availability, enforce immediate mitigation controls: restrict network access to the '/api/v1/download/' endpoint to only authenticated and authorized users via Web Application Firewall (WAF) rules; implement strict input validation and rate limiting on the ID parameter to prevent enumeration; enable detailed logging and alerting on all download API requests to detect exploitation attempts; and consider temporarily disabling the download functionality if it is not critical to operations. Consult the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot for additional guidance and patch release information.
More in Hijiffy Chatbot
View allSame weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16148