Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Requires specific request ordering and co-enablement of two non-default features (AC:H), a valid scoped API key (PR:L), and produces confidentiality-only impact with no scope change.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is a cache isolation issue affecting search requests that use both server-side search result caching and Scoped Search API Keys. Under specific request ordering, cached search results could be reused across requests with different Scoped Search API Key constraints. This could result in a request receiving search results that should have been restricted by its Scoped Search API Key. This issue only affects search requests that use both server-side search result caching and Scoped Search API Keys with embedded filters to restrict access to search results within a collection. This vulnerability may result in unintended disclosure of search results across scoped authorization contexts. This issue has been patched in versions 29.1 and 30.2.
AnalysisAI
Cache isolation failure in Typesense's search engine exposes restricted search results across Scoped Search API Key authorization boundaries. When server-side caching and Scoped API Keys are both active, a specific sequence of requests can cause the cache to serve results to a scoped requester that were originally populated by a less-restricted context, effectively bypassing the embedded filter constraints of that key. Versions prior to 29.1 and 30.2 are affected; vendor-released patches exist in both release lines, with no public exploit identified and an EPSS of 0.05% (15th percentile) confirming low current exploitation probability.
Technical ContextAI
Typesense (CPE: cpe:2.3:a:typesense:typesense:*:*:*:*:*:*:*:*) is a typo-tolerant search engine that offers two intersecting features central to this flaw: server-side search result caching for performance optimization, and Scoped Search API Keys that embed filter clauses to enforce per-user or per-role document access within a collection. The root cause is CWE-524 (Use of Cache Containing Sensitive Information): the cache key derivation does not incorporate the scoped key's embedded filter constraints as a cache-differentiating dimension. Consequently, a cache entry produced by an unscoped or differently-scoped request is treated as a valid hit for a subsequently issued scoped request that matches on other dimensions (e.g., query string, collection). The CVSS 4.0 metric AT:P (Attack Target: Present) directly models this configuration-dependent attack surface.
RemediationAI
Upgrade Typesense to version 29.1 (on the 29.x branch) or 30.2 (on the 30.x branch), both of which contain the patch for this cache isolation issue, as confirmed by the vendor advisory at https://github.com/typesense/typesense/security/advisories/GHSA-97x4-gm45-jpcw. If an immediate upgrade is not operationally feasible, the most targeted compensating control is to disable server-side search result caching entirely, which eliminates the shared-cache vector at the cost of increased search latency and higher backend query load - a trade-off that must be weighed against the sensitivity of the data accessible via Scoped Keys. A secondary workaround is to shift access control filtering to the application layer rather than relying on Scoped API Key embedded filters, though this transfers enforcement responsibility away from Typesense and requires that the calling application correctly apply all necessary restrictions on every request. The low EPSS score should not be used to justify indefinite deferral in deployments where both features are in concurrent use.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36511