Description
Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is a cache isolation issue affecting search requests that use both server-side search result caching and Scoped Search API Keys. Under specific request ordering, cached search results could be reused across requests with different Scoped Search API Key constraints. This could result in a request receiving search results that should have been restricted by its Scoped Search API Key. This issue only affects search requests that use both server-side search result caching and Scoped Search API Keys with embedded filters to restrict access to search results within a collection. This vulnerability may result in unintended disclosure of search results across scoped authorization contexts. This issue has been patched in versions 29.1 and 30.2.
Published: 2026-06-12
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows a user exploiting improperly isolated search caches to retrieve data from other authorization contexts. The flaw occurs when Typesense uses both server‑side cached results and Scoped Search API Keys that contain embedded filters. Under a specific sequence of requests, the cache contains results from one key and serves them to a request that should be limited by a different key, causing exposure of restricted search results. The consequence is that an attacker could see data that should have been restricted by its Scoped Search API Key, leading to privacy or confidentiality violations.

Affected Systems

The affected product is Typesense, a typo‑tolerant search engine. Versions prior to 29.1 for the 29.x line and prior to 30.2 for the 30.x line are vulnerable. Any deployment that enables both server‑side result caching and uses Scoped Search API Keys with embedded filters for collection‑level restrictions is at risk.

Risk and Exploitability

The CVSS score of 6.0 categorizes this flaw as moderate severity, and the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not in the CISA KEV catalog. Exploitation requires the attacker to control request sequencing against the same cached index and use valid scoped keys, which suggests a need for network access to the Typesense instance and a certain level of interaction. Because the attack surface is limited to environments exposing the API and cache features, the risk remains moderate but could lead to sensitive data leakage if the scenario is met.

Generated by OpenCVE AI on June 12, 2026 at 19:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Typesense to version 29.1 or later 30.2 if on the 30.x line.
  • If an upgrade is delayed, temporarily disable server‑side search result caching or avoid using Scoped Search API Keys with embedded filters until the patch is applied.
  • Monitor search request logs for unusual cross‑context result disclosures and verify that no unauthorized data is returned.

Generated by OpenCVE AI on June 12, 2026 at 19:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Typesense
Typesense typesense
Vendors & Products Typesense
Typesense typesense

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is a cache isolation issue affecting search requests that use both server-side search result caching and Scoped Search API Keys. Under specific request ordering, cached search results could be reused across requests with different Scoped Search API Key constraints. This could result in a request receiving search results that should have been restricted by its Scoped Search API Key. This issue only affects search requests that use both server-side search result caching and Scoped Search API Keys with embedded filters to restrict access to search results within a collection. This vulnerability may result in unintended disclosure of search results across scoped authorization contexts. This issue has been patched in versions 29.1 and 30.2.
Title Improper Search Cache Isolation for Scoped Search API Keys in Typesense
Weaknesses CWE-524
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Typesense Typesense
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T18:30:36.952Z

Reserved: 2026-05-18T22:25:21.259Z

Link: CVE-2026-47225

cve-icon Vulnrichment

Updated: 2026-06-12T18:30:32.987Z

cve-icon NVD

Status : Received

Published: 2026-06-12T18:16:34.783

Modified: 2026-06-12T18:16:34.783

Link: CVE-2026-47225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:19:31Z

Weaknesses
  • CWE-524

    Use of Cache Containing Sensitive Information