Skip to main content

Hijiffy Chatbot CVE-2026-4263

| EUVDEUVD-2026-16150 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-26 INCIBE
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 09:30 euvd
EUVD-2026-16150
Analysis Generated
Mar 26, 2026 - 09:30 vuln.today
CVE Published
Mar 26, 2026 - 09:12 nvd
MEDIUM 6.9

DescriptionCVE.org

Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'visitor' in '/api/v1/webchat/message'.

AnalysisAI

HiJiffy Chatbot contains an authorization bypass vulnerability in the /api/v1/webchat/message endpoint that allows unauthenticated attackers to download private messages from arbitrary users by manipulating the 'visitor' parameter. The vulnerability affects all versions of HiJiffy Chatbot (as indicated by the wildcard CPE) and has been reported by INCIBE. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

The vulnerability is rooted in CWE-863 (Incorrect Authorization), a classification indicating that the application fails to properly validate whether a user is authorized to access requested resources. Specifically, the /api/v1/webchat/message API endpoint in HiJiffy Chatbot does not adequately verify that the requesting user has legitimate access to view messages associated with a given 'visitor' identifier. The affected product is HiJiffy Chatbot (CPE: cpe:2.3:a:hijiffy:hijiffy_chatbot:*:*:*:*:*:*:*:*), and the vulnerability likely stems from a failure to implement proper access control checks before returning sensitive conversation data. Instead of validating resource ownership or user permissions, the application trusts the 'visitor' parameter input directly, enabling horizontal privilege escalation where one user can retrieve another user's private messages.

RemediationAI

Contact HiJiffy support immediately to obtain patched versions and security guidance, referencing INCIBE's advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot. No vendor-released patch has been identified at the time of analysis; however, do not delay in engaging the vendor for patch availability and timelines. As an interim control, restrict network access to the /api/v1/webchat/message endpoint to trusted internal networks or verified client IP ranges using a Web Application Firewall (WAF) or reverse proxy, and implement strict request validation to block requests where the 'visitor' parameter does not match the authenticated user's identifier. Implement comprehensive API access logging to detect suspicious visitor parameter manipulation patterns. Until a vendor patch is available and deployed, consider disabling the affected endpoint if business operations permit, or require additional authentication factors (such as CAPTCHA or out-of-band verification) for message retrieval requests.

Share

CVE-2026-4263 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy