Description
A weakness has been identified in DeepMyst Mysti 0.4.0. Affected is the function _isTrackedConversation of the file src/managers/ChannelBridge.ts of the component Contact Tracking. This manipulation of the argument _channelType causes improper authorization. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit has been made available to the public and could be used for attacks. Patch name: 9b4aff0f106db424aa45a35aa89dd0b8f2eb9a48. It is suggested to install a patch to address this issue.
Published: 2026-06-29
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the _isTrackedConversation function of the ChannelBridge.ts file within DeepMyst Mysti’s Contact Tracking component. It allows an attacker to manipulate the _channelType argument, resulting in improper authorization checks and enabling unauthorized access to tracked conversations. The exploit can be triggered remotely, but it requires a high degree of complexity and is considered difficult to execute. A public exploit has been released, indicating that an attacker who successfully navigates the complexity could leverage the flaw to bypass intended access controls.

Affected Systems

DeepMyst’s Mysti product, specifically version 0.4.0, is affected. Users running this legacy release should be aware that the flaw exists in the Contact Tracking module of that version.

Risk and Exploitability

The CVSS base score of 2.3 reflects a low severity assessment, and the EPSS score is not available, while the vulnerability is not listed in the CISA KEV catalog. However, the public availability of an exploit and the requirement for remote initiation point to a realistic threat. The weak access control is governed by CWE-266 (Insufficient Authorization) and CWE-285 (Authorization). Despite the low CVSS, the risk of unauthorized data exposure remains real, and mitigation is recommended.

Generated by OpenCVE AI on June 29, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch identified by commit 9b4aff0f106db424aa45a35aa89dd0b8f2eb9a48 to address the improper authorization in the ChannelBridge module.
  • Upgrade to the latest available release of Mysti or ensure the patched version is deployed to eliminate the known flaw.
  • Validate that the _channelType argument is correctly constrained to an authorized set of values to prevent future authorization bypass attempts.

Generated by OpenCVE AI on June 29, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in DeepMyst Mysti 0.4.0. Affected is the function _isTrackedConversation of the file src/managers/ChannelBridge.ts of the component Contact Tracking. This manipulation of the argument _channelType causes improper authorization. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit has been made available to the public and could be used for attacks. Patch name: 9b4aff0f106db424aa45a35aa89dd0b8f2eb9a48. It is suggested to install a patch to address this issue.
Title DeepMyst Mysti Contact Tracking ChannelBridge.ts _isTrackedConversation improper authorization
First Time appeared Deepmyst
Deepmyst mysti
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:deepmyst:mysti:*:*:*:*:*:*:*:*
Vendors & Products Deepmyst
Deepmyst mysti
References
Metrics cvssV2_0

{'score': 4.6, 'vector': 'AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T17:30:50.826Z

Reserved: 2026-06-29T04:51:32.852Z

Link: CVE-2026-13591

cve-icon Vulnrichment

Updated: 2026-06-29T17:30:46.231Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T23:30:05Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-285

    Improper Authorization