Skip to main content

Prompts Chat EUVDEUVD-2026-18825

| CVE-2026-22663 HIGH
Missing Authorization (CWE-862)
2026-04-03 VulnCheck GHSA-hphm-9vp4-h223
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 03, 2026 - 20:45 euvd
EUVD-2026-18825
Analysis Generated
Apr 03, 2026 - 20:45 vuln.today
Patch released
Apr 03, 2026 - 20:45 nvd
Patch available
CVE Published
Apr 03, 2026 - 20:27 nvd
HIGH 8.7

DescriptionCVE.org

prompts.chat prior to commit 7b81836 contains multiple authorization bypass vulnerabilities due to missing isPrivate checks across API endpoints and page metadata generation that allow unauthorized users to access sensitive data associated with private prompts. Attackers can exploit these missing authorization checks to retrieve private prompt version history, change requests, examples, current content, and metadata including titles and descriptions exposed via HTML meta tags.

AnalysisAI

Authorization bypass vulnerabilities in prompts.chat (pre-commit 7b81836) expose private prompt data to unauthenticated remote attackers. Missing isPrivate validation checks across multiple API endpoints and metadata generation functions allow unauthorized retrieval of version history, change requests, examples, content, and HTML meta tag information for prompts marked private. No public exploit identified at time of analysis, though CVSS 8.7 reflects network-accessible, low-complexity attack requiring no privileges. Vendor-released patch available via GitHub commit 7b81836b21.

Technical ContextAI

This vulnerability affects prompts.chat, a web application for managing and sharing prompt templates (cpe:2.3:a:f:prompts.chat). The root cause (CWE-862: Missing Authorization) stems from inadequate server-side access control enforcement. The application relies on isPrivate flags to distinguish public versus private prompts, but multiple API endpoints and the page metadata generation logic fail to verify this flag before returning sensitive data. The CVSS 4.0 vector (AV:N/AC:L/PR:N) confirms these endpoints are network-accessible without authentication, and the straightforward exploitation path requires no specialized conditions. This represents a classic broken access control scenario where client-side or database-level privacy indicators exist but backend authorization logic is incomplete, allowing direct object reference attacks against private resources.

RemediationAI

Vendor-released patch: Organizations must immediately update to commit 7b81836b214f2796aaf37ded2944eadc978afd35 or any subsequent version that includes this fix. The patch can be obtained from the GitHub repository at https://github.com/f/prompts.chat/commit/7b81836b214f2796aaf37ded2944eadc978afd35, and the associated pull request #1104 (https://github.com/f/prompts.chat/pull/1104) provides implementation context. For self-hosted deployments, pull the latest code from the main branch and rebuild. As an interim mitigation if patching is delayed, consider implementing reverse proxy rules to restrict API endpoint access to authenticated users only, though this workaround may impact legitimate functionality and does not address metadata leakage in HTML responses. Network segmentation to limit exposure of the prompts.chat instance is advisable until patching is complete. Post-patch, conduct an audit to identify potentially compromised private prompts and notify affected users.

Share

EUVD-2026-18825 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy