Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Prompt injection vulnerability in 1millionbot Millie chatbot that occurs when a user manages to evade chat restrictions using Boolean prompt injection techniques (formulating a question in such a way that, upon receiving an affirmative response ('true'), the model executes the injected instruction), causing it to return prohibited information and information outside its intended context. Successful exploitation of this vulnerability could allow a malicious remote attacker to abuse the service for purposes other than those originally intended, or even execute out-of-context tasks using 1millionbot's resources and/or OpenAI's API key. This allows the attacker to evade the containment mechanisms implemented during LLM model training and obtain responses or chat behaviors that were originally restricted.
AnalysisAI
Prompt injection in 1millionbot Millie chatbot allows remote attackers to bypass chat restrictions using Boolean logic techniques, enabling retrieval of prohibited information and execution of unintended tasks including potential abuse of OpenAI API keys. The vulnerability exploits insufficient input validation in the LLM's containment mechanisms, permitting attackers to reformulate queries in ways that trigger affirmative responses ('true') that then execute injected instructions outside the chatbot's intended scope.
Technical ContextAI
This vulnerability stems from CWE-1427 (Uncontrolled Search Path Element), which in the LLM context manifests as improper validation of user input before prompt execution. The attack leverages Boolean prompt injection-a technique where attackers structure queries to receive true/false responses that can be interpreted as authorization for subsequent malicious instructions. The affected product is 1millionbot's Millie Chat application (cpe:2.3:a:1millionbot:millie_chat:*:*:*:*:*:*:*:*), which integrates with OpenAI's API. The root cause is the failure to implement robust prompt filtering and context isolation mechanisms during both model training and runtime execution, allowing attackers to circumvent safeguards that were designed to restrict the chatbot's behavior and resource access.
RemediationAI
Implement robust input validation and prompt sanitization mechanisms to detect and block Boolean injection patterns and other common prompt injection techniques. Enforce strict separation between user input and system prompts by using prompt templates with explicit boundaries and parameter validation. Review and strengthen the LLM fine-tuning and training data to improve model resilience against adversarial inputs. Implement API key rotation policies and restrict OpenAI API permissions to the minimum required for chatbot operation (principle of least privilege). Deploy runtime monitoring and anomaly detection to identify unusual query patterns or out-of-context task attempts. Consult the INCIBE advisory (https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot-millie-chatbot) for vendor-specific patches and recommended configuration changes. No specific patched version was independently confirmed in available data; coordinate with 1millionbot for official remediation releases.
More in Millie Chat
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17357