Description
Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/<ID>/'.
Published: 2026-03-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data disclosure
Action: Patch promptly
AI Analysis

Impact

A flaw in authorization controls within the HiJiffy Chatbot permits an attacker to retrieve private messages belonging to other users. By supplying an arbitrary identifier in the /api/v1/download/<ID>/ endpoint, an unauthenticated or improperly authenticated request can be used to export message contents. This weakness corresponds to the CWE-863 category, where access control mechanisms fail to enforce ownership checks, leading to confidentiality violations.

Affected Systems

The affected component is the HiJiffy Chatbot service, for all published versions. The exploit originates from the public API endpoint /api/v1/download/<ID>/, which accepts a numeric or string identifier passed as a path parameter.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability that can be leveraged remotely via standard HTTP requests. EPSS information is not available and the issue is not listed in the CISA KEV catalog, but the remote reachability and lack of authentication controls mean that an attacker with internet access can easily target the endpoint. As the vulnerability affects only message data and does not grant system compromise, the impact is limited to privacy breach.

Generated by OpenCVE AI on March 26, 2026 at 10:20 UTC.

Remediation

Vendor Solution

HiJiffy recommends updating to the latest available version.

OpenCVE Recommended Actions

  • Apply the latest HiJiffy Chatbot update as released by the vendor
  • If an update cannot be applied immediately, restrict or disable the /api/v1/download/<ID>/ endpoint to authenticated users only
  • Ensure that all routes that accept user identifiers enforce proper ownership checks and return data only for the requesting user

Generated by OpenCVE AI on March 26, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Description Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/<ID>/'.
Title Incorrect authorization in HiJiffy Chatbot
First Time appeared Hijiffy
Hijiffy hijiffy Chatbot
Weaknesses CWE-863
CPEs cpe:2.3:a:hijiffy:hijiffy_chatbot:all_versions:*:*:*:*:*:*:*
Vendors & Products Hijiffy
Hijiffy hijiffy Chatbot
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hijiffy Hijiffy Chatbot
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-26T14:06:16.836Z

Reserved: 2026-03-16T11:59:56.946Z

Link: CVE-2026-4262

cve-icon Vulnrichment

Updated: 2026-03-26T14:06:06.102Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T10:16:25.780

Modified: 2026-03-26T15:13:15.790

Link: CVE-2026-4262

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T08:36:20Z

Weaknesses