Skip to main content

Millie Chat CVE-2026-4400

| EUVDEUVD-2026-17359 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-31 INCIBE
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 31, 2026 - 10:45 euvd
EUVD-2026-17359
Analysis Generated
Mar 31, 2026 - 10:45 vuln.today
CVE Published
Mar 31, 2026 - 10:12 nvd
HIGH 7.0

DescriptionCVE.org

Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint 'api.1millionbot.com/api/public/conversations/' and, if exploited, could allow a remote attacker to access other users private chatbot conversations, revealing sensitive or confidential data without requiring credentials or impersonating users. In order for the vulnerability to be exploited, the attacker must have the user's conversation ID.

AnalysisAI

Insecure Direct Object Reference (IDOR) in 1millionbot Millie chat allows unauthenticated remote attackers to access other users' private chatbot conversations by manipulating conversation IDs in API requests to 'api.1millionbot.com/api/public/conversations/'. An attacker with knowledge of a target conversation ID can retrieve sensitive or confidential data without authentication. No public exploit code or active exploitation has been independently confirmed at the time of analysis.

Technical ContextAI

The vulnerability exists in the 'api.1millionbot.com/api/public/conversations/' endpoint, which fails to implement proper authorization controls to validate that the requesting user owns or has permission to access the requested conversation resource. This is a classic Insecure Direct Object Reference (CWE-639) where the application exposes direct references to backend objects (conversation records) without verifying access rights. The endpoint likely accepts a conversation ID as a parameter and returns conversation data based solely on that ID without cross-referencing the authenticated user's conversation inventory. The affected product is 1millionbot Millie chat, which is a chatbot communication platform.

RemediationAI

Implement proper authorization controls on the 'api.1millionbot.com/api/public/conversations/' endpoint to validate that the authenticated user owns or has explicit permission to access the requested conversation before returning data. All API endpoints that expose conversation data should implement server-side access control checks that verify the requesting user's identity and permissions against the conversation ownership record. Contact 1millionbot for a patched version; interim mitigation may include restricting API access to authenticated users only and implementing rate limiting on conversation ID queries. Refer to the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot-millie-chatbot for additional guidance and coordinated disclosure status.

Share

CVE-2026-4400 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy