Skip to main content

Millie Chat CVE-2026-4399

| EUVDEUVD-2026-17357 HIGH
Improper Neutralization of Input Used for LLM Prompting (CWE-1427)
2026-03-31 INCIBE
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 31, 2026 - 10:45 euvd
EUVD-2026-17357
Analysis Generated
Mar 31, 2026 - 10:45 vuln.today
CVE Published
Mar 31, 2026 - 10:10 nvd
HIGH 8.7

DescriptionCVE.org

Prompt injection vulnerability in 1millionbot Millie chatbot that occurs when a user manages to evade chat restrictions using Boolean prompt injection techniques (formulating a question in such a way that, upon receiving an affirmative response ('true'), the model executes the injected instruction), causing it to return prohibited information and information outside its intended context. Successful exploitation of this vulnerability could allow a malicious remote attacker to abuse the service for purposes other than those originally intended, or even execute out-of-context tasks using 1millionbot's resources and/or OpenAI's API key. This allows the attacker to evade the containment mechanisms implemented during LLM model training and obtain responses or chat behaviors that were originally restricted.

AnalysisAI

Prompt injection in 1millionbot Millie chatbot allows remote attackers to bypass chat restrictions using Boolean logic techniques, enabling retrieval of prohibited information and execution of unintended tasks including potential abuse of OpenAI API keys. The vulnerability exploits insufficient input validation in the LLM's containment mechanisms, permitting attackers to reformulate queries in ways that trigger affirmative responses ('true') that then execute injected instructions outside the chatbot's intended scope.

Technical ContextAI

This vulnerability stems from CWE-1427 (Uncontrolled Search Path Element), which in the LLM context manifests as improper validation of user input before prompt execution. The attack leverages Boolean prompt injection-a technique where attackers structure queries to receive true/false responses that can be interpreted as authorization for subsequent malicious instructions. The affected product is 1millionbot's Millie Chat application (cpe:2.3:a:1millionbot:millie_chat:*:*:*:*:*:*:*:*), which integrates with OpenAI's API. The root cause is the failure to implement robust prompt filtering and context isolation mechanisms during both model training and runtime execution, allowing attackers to circumvent safeguards that were designed to restrict the chatbot's behavior and resource access.

RemediationAI

Implement robust input validation and prompt sanitization mechanisms to detect and block Boolean injection patterns and other common prompt injection techniques. Enforce strict separation between user input and system prompts by using prompt templates with explicit boundaries and parameter validation. Review and strengthen the LLM fine-tuning and training data to improve model resilience against adversarial inputs. Implement API key rotation policies and restrict OpenAI API permissions to the minimum required for chatbot operation (principle of least privilege). Deploy runtime monitoring and anomaly detection to identify unusual query patterns or out-of-context task attempts. Consult the INCIBE advisory (https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot-millie-chatbot) for vendor-specific patches and recommended configuration changes. No specific patched version was independently confirmed in available data; coordinate with 1millionbot for official remediation releases.

Share

CVE-2026-4399 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy