Description
ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. Version 1.2.11 fixes the issue.
Published: 2026-01-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

The vulnerability in ChatterBot versions up to 1.2.10 arises from improper handling of SQLAlchemy database sessions and the underlying connection pool. Concurrent calls to the get_response() method can exhaust the pool, causing the bot to become unavailable until a manual restart is performed. This is a resource exhaustion flaw (CWE-400) that results in denial of service, disrupting availability for legitimate users.

Affected Systems

The affected product is ChatterBot, a conversation engine developed by gunthercox. Versions up to 1.2.10 are vulnerable; the issue was fixed in version 1.2.11. No other dependent libraries or platforms are specifically mentioned.

Risk and Exploitability

The CVSS score of 7.5 indicates a medium‑high severity level, though the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the denial of service by sending a high volume of requests to the bot’s get_response() endpoint, typically over a network interface that exposes the bot. In practice, the attack vector would be remote, leveraging the bot’s public API or webhooks, assuming the bot is accessible over the internet. Without a publicly documented exploit, a successful attack would require an active user session or the ability to invoke the get_response() method repeatedly.

Generated by OpenCVE AI on April 18, 2026 at 05:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ChatterBot version 1.2.11 or later, which includes the connection pool fix.
  • If an upgrade is not immediately possible, implement request throttling or concurrency limits on the get_response() method to prevent exhausting the database pool.
  • Continuously monitor the database connection pool usage and perform a graceful restart of the service if the pool becomes saturated.

Generated by OpenCVE AI on April 18, 2026 at 05:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v4w8-49pv-mf72 ChatterBot Vulnerable to Denial of Service via Database Connection Pool Exhaustion
History

Thu, 05 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Chatterbot
Chatterbot chatterbot
CPEs cpe:2.3:a:chatterbot:chatterbot:*:*:*:*:*:*:*:*
Vendors & Products Chatterbot
Chatterbot chatterbot

Tue, 20 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Gunthercox
Gunthercox chatterbot
Vendors & Products Gunthercox
Gunthercox chatterbot

Mon, 19 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
Description ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. Version 1.2.11 fixes the issue.
Title ChatterBot has Denial of Service via Database Connection Pool Exhaustion
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Chatterbot Chatterbot
Gunthercox Chatterbot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T20:05:48.462Z

Reserved: 2026-01-16T15:46:40.842Z

Link: CVE-2026-23842

cve-icon Vulnrichment

Updated: 2026-01-20T20:04:07.426Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T19:16:04.510

Modified: 2026-02-05T18:03:53.000

Link: CVE-2026-23842

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses