Impact
The vulnerability resides in the _isTrackedConversation function of the ChannelBridge.ts file within DeepMyst Mysti’s Contact Tracking component. It allows an attacker to manipulate the _channelType argument, resulting in improper authorization checks and enabling unauthorized access to tracked conversations. The exploit can be triggered remotely, but it requires a high degree of complexity and is considered difficult to execute. A public exploit has been released, indicating that an attacker who successfully navigates the complexity could leverage the flaw to bypass intended access controls.
Affected Systems
DeepMyst’s Mysti product, specifically version 0.4.0, is affected. Users running this legacy release should be aware that the flaw exists in the Contact Tracking module of that version.
Risk and Exploitability
The CVSS base score of 2.3 reflects a low severity assessment, and the EPSS score is not available, while the vulnerability is not listed in the CISA KEV catalog. However, the public availability of an exploit and the requirement for remote initiation point to a realistic threat. The weak access control is governed by CWE-266 (Insufficient Authorization) and CWE-285 (Authorization). Despite the low CVSS, the risk of unauthorized data exposure remains real, and mitigation is recommended.
OpenCVE Enrichment