Description
Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint 'api.1millionbot.com/api/public/conversations/' and, if exploited, could allow a remote attacker to access other users private chatbot conversations, revealing sensitive or confidential data without requiring credentials or impersonating users. In order for the vulnerability to be exploited, the attacker must have the user's conversation ID.
Published: 2026-03-31
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Private Conversations
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an insecure direct object reference, allowing a remote attacker to view private chatbot conversations of other users by altering the conversation ID in the request URL. This results in disclosure of potentially sensitive or confidential user data without requiring authentication or impersonation. The weakness, identified as CWE‑639, indicates that data ownership and access control checks are insufficient, exposing user‑generated content directly.

Affected Systems

Affected products are 1millionbot Millie chat. All releases prior to the patched 3.6.0 version contain the IDOR flaw. The exact affected version range is not specified, but the vendor confirmed that 3.6.0 includes the fix.

Risk and Exploitability

The CVSS score of 7 indicates high severity, and the EPSS score is below 1%, suggesting low exploitation probability; the vulnerability is not listed in the KEV catalog. The bug does not require credentials; an attacker merely needs a valid conversation identifier. If an attacker can obtain or enumerate such IDs, they can retrieve private conversations. Given the simple request structure, the attack vector is remote and straightforward, making potential exploitation feasible in realistic scenarios.

Generated by OpenCVE AI on April 13, 2026 at 14:43 UTC.

Remediation

Vendor Solution

The vulnerabilities have been fixed by 1millionbot team in version 3.6.0.

OpenCVE Recommended Actions

  • Upgrade to version 3.6.0 or later to apply the vendor fix.
  • Restrict exposure of conversation identifiers by making them non‑guessable, removing them from logs, and limiting API access.
  • Monitor traffic for abnormal conversation ID usage and investigate suspicious accesses.

Generated by OpenCVE AI on April 13, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared 1millionbot millie Chatbot
CPEs cpe:2.3:a:1millionbot:millie_chat_bot:*:*:*:*:*:*:*:* cpe:2.3:a:1millionbot:millie_chatbot:*:*:*:*:*:*:*:*
Vendors & Products 1millionbot millie Chat Bot
1millionbot millie Chatbot

Mon, 13 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared 1millionbot millie Chat Bot
CPEs cpe:2.3:a:1millionbot:millie_chat_bot:*:*:*:*:*:*:*:*
Vendors & Products 1millionbot millie Chat Bot
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint 'api.1millionbot.com/api/public/conversations/' and, if exploited, could allow a remote attacker to access other users private chatbot conversations, revealing sensitive or confidential data without requiring credentials or impersonating users. In order for the vulnerability to be exploited, the attacker must have the user's conversation ID.
Title Multiple vulnerabilities in 1millionbot Millie chatbot
First Time appeared 1millionbot
1millionbot millie Chat
Weaknesses CWE-639
CPEs cpe:2.3:a:1millionbot:millie_chat:3.6.0:*:*:*:*:*:*:*
Vendors & Products 1millionbot
1millionbot millie Chat
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

1millionbot Millie Chat Millie Chatbot
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-31T13:30:36.779Z

Reserved: 2026-03-18T17:18:51.920Z

Link: CVE-2026-4400

cve-icon Vulnrichment

Updated: 2026-03-31T13:30:32.769Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T11:16:14.470

Modified: 2026-04-14T21:31:12.640

Link: CVE-2026-4400

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:25Z

Weaknesses