{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4262", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2026-03-16T11:59:56.946Z", "datePublished": "2026-03-26T09:06:22.472Z", "dateUpdated": "2026-03-26T09:29:27.326Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-03-26T09:29:27.326Z"}, "title": "Incorrect authorization in HiJiffy Chatbot", "datePublic": "2026-03-26T09:01:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863", "type": "CWE"}]}], "affected": [{"vendor": "HiJiffy", "product": "HiJiffy Chatbot", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hijiffy:hijiffy_chatbot:all_versions:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "Vulnerability of incorrect authorization in\u00a0HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/<ID>/'.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability of incorrect authorization in&nbsp;HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/&lt;ID&gt;/'."}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "solutions": [{"lang": "en", "value": "HiJiffy recommends updating to the latest available version.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "HiJiffy recommends updating to the latest available version."}]}], "credits": [{"lang": "en", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability of incorrect authorization in\u00a0HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/<ID>/'."}], "id": "CVE-2026-4262", "lastModified": "2026-03-26T10:16:25.780", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2026-03-26T10:16:25.780", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-26T10:20:32.095014+00:00", "value": {"mitigation_remediation": ["Apply the latest HiJiffy Chatbot update as released by the vendor", "If an update cannot be applied immediately, restrict or disable the /api/v1/download/<ID>/ endpoint to authenticated users only", "Ensure that all routes that accept user identifiers enforce proper ownership checks and return data only for the requesting user"], "summary": {"action": "Patch promptly", "impact": "Data disclosure"}, "threat_synthesis": {"affected_systems": "The affected component is the HiJiffy Chatbot service, for all published versions. The exploit originates from the public API endpoint /api/v1/download/<ID>/, which accepts a numeric or string identifier passed as a path parameter.", "description_and_impact": "A flaw in authorization controls within the HiJiffy Chatbot permits an attacker to retrieve private messages belonging to other users. By supplying an arbitrary identifier in the /api/v1/download/<ID>/ endpoint, an unauthenticated or improperly authenticated request can be used to export message contents. This weakness corresponds to the CWE-863 category, where access control mechanisms fail to enforce ownership checks, leading to confidentiality violations.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a medium severity vulnerability that can be leveraged remotely via standard HTTP requests. EPSS information is not available and the issue is not listed in the CISA KEV catalog, but the remote reachability and lack of authentication controls mean that an attacker with internet access can easily target the endpoint. As the vulnerability affects only message data and does not grant system compromise, the impact is limited to privacy breach."}}}}, "created": "2026-03-26T12:08:11.080815+00:00", "updated": "2026-03-26T12:08:11.080841+00:00", "vendors": []}