Description
prompts.chat prior to commit 7b81836 contains multiple authorization bypass vulnerabilities due to missing isPrivate checks across API endpoints and page metadata generation that allow unauthorized users to access sensitive data associated with private prompts. Attackers can exploit these missing authorization checks to retrieve private prompt version history, change requests, examples, current content, and metadata including titles and descriptions exposed via HTML meta tags.
Published: 2026-04-03
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure – unauthorized access to private prompt data
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is caused by missing authorization checks in several API endpoints and during the generation of page metadata in prompts.chat. This allows unauthenticated or improperly authenticated users to access information that is intended to be private, such as prompt version history, change requests, examples, current content, titles and descriptions that are rendered as HTML meta tags. The weakness is an authorization bypass that permits information disclosure, classified as CWE-862.

Affected Systems

The flaw affects the prompts.chat web platform in all releases preceding commit 7b81836. Users who rely on the public interface of the service are at risk if the application is not isolated within a secure network. No specific version strings are listed in the advisory, so any publicly available release before the patch is considered vulnerable.

Risk and Exploitability

The CVSS base score of 8.7 indicates a high severity for confidentiality impacts. The EPSS score is below 1 %, suggesting a low current exploitation probability, and the vulnerability is not yet captured in the CISA KEV catalogue. Exploitation is likely achievable by issuing simple HTTP requests to the exposed API endpoints or by accessing a private prompt page, at which point the unauthorized data is returned or embedded in the page’s HTML. The attack path requires no special privileges beyond an unauthenticated or poorly authenticated user.

Generated by OpenCVE AI on April 13, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch associated with commit 7b81836 or later to remove the missing authorization checks.
  • Ensure that all API endpoints and the page metadata generation path enforce proper authentication and authorization before serving data.
  • Verify that no private prompt data is exposed through HTML meta tags or other publicly accessible interfaces.
  • Conduct regular reviews of access controls and audit logs to detect any unauthorized access attempts.

Generated by OpenCVE AI on April 13, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Fka
Fka prompts.chat
CPEs cpe:2.3:a:fka:prompts.chat:*:*:*:*:*:*:*:*
Vendors & Products Fka
Fka prompts.chat

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared F
F prompts.chat
Vendors & Products F
F prompts.chat

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description prompts.chat prior to commit 7b81836 contains multiple authorization bypass vulnerabilities due to missing isPrivate checks across API endpoints and page metadata generation that allow unauthorized users to access sensitive data associated with private prompts. Attackers can exploit these missing authorization checks to retrieve private prompt version history, change requests, examples, current content, and metadata including titles and descriptions exposed via HTML meta tags.
Title prompts.chat Authorization Bypass Information Disclosure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F Prompts.chat
Fka Prompts.chat
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T13:10:30.995Z

Reserved: 2026-01-08T19:04:26.364Z

Link: CVE-2026-22663

cve-icon Vulnrichment

Updated: 2026-04-06T13:10:25.704Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T21:17:09.337

Modified: 2026-04-13T18:15:02.253

Link: CVE-2026-22663

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:44Z

Weaknesses