Vulnerability Description
Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint 'api.1millionbot.com/api/public/conversations/' and, if exploited, could allow a remote attacker to access other users private chatbot conversations, revealing sensitive or confidential data without requiring credentials or impersonating users. In order for the vulnerability to be exploited, the attacker must have the user's conversation ID.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 1Millionbot | Millie Chatbot | < 3.6.0 |
Related Weaknesses (CWE)
References
- https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1milThird Party Advisory
FAQ
What is CVE-2026-4400?
CVE-2026-4400 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability...
How severe is CVE-2026-4400?
CVE-2026-4400 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-4400?
Check the references section above for vendor advisories and patch information. Affected products include: 1Millionbot Millie Chatbot.