Skip to main content

Hijiffy Chatbot CVE-2026-4262

| EUVDEUVD-2026-16148 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-26 INCIBE
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 09:30 euvd
EUVD-2026-16148
Analysis Generated
Mar 26, 2026 - 09:30 vuln.today
CVE Published
Mar 26, 2026 - 09:06 nvd
MEDIUM 6.9

DescriptionCVE.org

Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/<ID>/'.

AnalysisAI

An incorrect authorization vulnerability in HiJiffy Chatbot allows unauthenticated attackers to download private messages from arbitrary users by manipulating the 'ID' parameter in the '/api/v1/download/<ID>/' endpoint. This is a classic authorization bypass enabling unauthorized access to sensitive conversation data. No public exploit code or active exploitation has been identified at the time of analysis, though the vulnerability was reported by INCIBE and affects all versions of HiJiffy Chatbot. The exposure is direct and requires only network access to the affected API endpoint.

Technical ContextAI

The vulnerability resides in the HiJiffy Chatbot application (CPE: cpe:2.3:a:hijiffy:hijiffy_chatbot:*:*:*:*:*:*:*:*), which is a web-based conversational AI platform. The root cause is classified as CWE-863 (Incorrect Authorization), indicating the application fails to enforce proper access controls when users request to download message archives. The '/api/v1/download/<ID>/' API endpoint accepts a user-supplied ID parameter without sufficient validation or authorization checks to confirm the requesting user owns or has permission to access the specified conversation data. This is a typical broken access control flaw where the API trusts client-supplied identifiers to retrieve sensitive resources without verifying the requestor's relationship to those resources.

RemediationAI

Contact HiJiffy immediately to obtain a vendor-released patch or security update addressing the authorization bypass. Implement the fix in your deployment as soon as it becomes available. Pending patch availability, enforce immediate mitigation controls: restrict network access to the '/api/v1/download/' endpoint to only authenticated and authorized users via Web Application Firewall (WAF) rules; implement strict input validation and rate limiting on the ID parameter to prevent enumeration; enable detailed logging and alerting on all download API requests to detect exploitation attempts; and consider temporarily disabling the download functionality if it is not critical to operations. Consult the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot for additional guidance and patch release information.

Share

CVE-2026-4262 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy