Description
Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 
'visitor' in '/api/v1/webchat/message'.
Published: 2026-03-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of private user messages
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the HiJiffy Chatbot's authorization logic. Because of an incorrect check, requests to the /api/v1/webchat/message endpoint can specify a 'visitor' parameter and retrieve messages that belong to other users. This results in an unauthorized disclosure of private content. The weakness maps to CWE‑863, Authorization Bypass through Privilege Escalation. An attacker can obtain sensitive personal or business information contained in these messages, affecting confidentiality and possibly reputation.

Affected Systems

The flaw affects all versions of the HiJiffy Chatbot software, as indicated by the CPE reference that covers every release. Administrators of installations using HiJiffy Chatbot should verify that their version is current, as older releases lack the authorization fix.

Risk and Exploitability

The CVSS score of 6.9 places this issue in the moderate-to-high range, indicating significant potential impact if exploited. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. However, the attack path is straightforward: an unauthenticated user can send an HTTP request to the API endpoint with a crafted 'visitor' parameter, so the likelihood of exploitation in the wild remains reasonable. Infrastructure with open API access or without network segmentation could be at higher risk.

Generated by OpenCVE AI on March 26, 2026 at 10:20 UTC.

Remediation

Vendor Solution

Update the product to the latest version.

OpenCVE Recommended Actions

  • Apply the vendor's patch or upgrade to the latest HiJiffy Chatbot release as recommended by the vendor.
  • If an immediate patch is not possible, restrict the /api/v1/webchat/message endpoint to authenticated requests only and remove or neutralise the 'visitor' parameter.
  • Conduct an internal security review or penetration test to confirm that the authorization check now functions correctly.
  • Monitor service logs for repeated use of the 'visitor' parameter or abnormal message download traffic.

Generated by OpenCVE AI on March 26, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Description Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter  'visitor' in '/api/v1/webchat/message'.
Title Incorrect authorization in HiJiffy Chatbot
First Time appeared Hijiffy
Hijiffy hijiffy Chatbot
Weaknesses CWE-863
CPEs cpe:2.3:a:hijiffy:hijiffy_chatbot:all_versions:*:*:*:*:*:*:*
Vendors & Products Hijiffy
Hijiffy hijiffy Chatbot
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hijiffy Hijiffy Chatbot
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-26T14:02:38.779Z

Reserved: 2026-03-16T12:00:03.903Z

Link: CVE-2026-4263

cve-icon Vulnrichment

Updated: 2026-03-26T14:02:29.524Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T10:16:26.173

Modified: 2026-03-26T15:13:15.790

Link: CVE-2026-4263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T08:36:19Z

Weaknesses