CVE-2026-4263 - Vulnerability Details - OpenCVE

Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter
'visitor' in '/api/v1/webchat/message'.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Hijiffy Subscribe	Hijiffy Chatbot Subscribe

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

No data.

Advisories

No advisories yet.

Fixes

Solution

Update the product to the latest version.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot

History

Thu, 26 Mar 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'visitor' in '/api/v1/webchat/message'.
Title		Incorrect authorization in HiJiffy Chatbot
First Time appeared		Hijiffy Hijiffy hijiffy Chatbot
Weaknesses		CWE-863
CPEs		cpe:2.3:a:hijiffy:hijiffy_chatbot:all_versions:::::::*
Vendors & Products		Hijiffy Hijiffy hijiffy Chatbot
References		https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2026-03-26T09:12:45.571Z

Updated: 2026-03-26T09:29:07.251Z

Reserved: 2026-03-16T12:00:03.903Z

Link: CVE-2026-4263

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-26T10:16:26.173

Modified: 2026-03-26T10:16:26.173

Link: CVE-2026-4263

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T12:08:09Z

Weaknesses

CWE-863

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4263", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2026-03-16T12:00:03.903Z", "datePublished": "2026-03-26T09:12:45.571Z", "dateUpdated": "2026-03-26T09:29:07.251Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-03-26T09:29:07.251Z"}, "title": "Incorrect authorization in HiJiffy Chatbot", "datePublic": "2026-03-26T09:08:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863", "type": "CWE"}]}], "affected": [{"vendor": "HiJiffy", "product": "HiJiffy Chatbot", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hijiffy:hijiffy_chatbot:all_versions:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "Vulnerability of incorrect authorization in\u00a0HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter\u00a0\n'visitor' in '/api/v1/webchat/message'.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter \n'visitor' in '/api/v1/webchat/message'."}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "solutions": [{"lang": "en", "value": "Update the product to the latest version.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the product to the latest version."}]}], "credits": [{"lang": "en", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability of incorrect authorization in\u00a0HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter\u00a0\n'visitor' in '/api/v1/webchat/message'."}], "id": "CVE-2026-4263", "lastModified": "2026-03-26T10:16:26.173", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2026-03-26T10:16:26.173", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}

{"analysis": {"en": {"generated_at": "2026-03-26T10:20:19.907115+00:00", "value": {"mitigation_remediation": ["Apply the vendor's patch or upgrade to the latest HiJiffy Chatbot release as recommended by the vendor.", "If an immediate patch is not possible, restrict the /api/v1/webchat/message endpoint to authenticated requests only and remove or neutralise the 'visitor' parameter.", "Conduct an internal security review or penetration test to confirm that the authorization check now functions correctly.", "Monitor service logs for repeated use of the 'visitor' parameter or abnormal message download traffic."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized disclosure of private user messages"}, "threat_synthesis": {"affected_systems": "The flaw affects all versions of the HiJiffy Chatbot software, as indicated by the CPE reference that covers every release. Administrators of installations using HiJiffy Chatbot should verify that their version is current, as older releases lack the authorization fix.", "description_and_impact": "The vulnerability resides in the HiJiffy Chatbot's authorization logic. Because of an incorrect check, requests to the /api/v1/webchat/message endpoint can specify a 'visitor' parameter and retrieve messages that belong to other users. This results in an unauthorized disclosure of private content. The weakness maps to CWE\u2011863, Authorization Bypass through Privilege Escalation. An attacker can obtain sensitive personal or business information contained in these messages, affecting confidentiality and possibly reputation.", "risk_and_exploitability": "The CVSS score of 6.9 places this issue in the moderate-to-high range, indicating significant potential impact if exploited. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. However, the attack path is straightforward: an unauthenticated user can send an HTTP request to the API endpoint with a crafted 'visitor' parameter, so the likelihood of exploitation in the wild remains reasonable. Infrastructure with open API access or without network segmentation could be at higher risk."}}}}, "created": "2026-03-26T12:08:09.980159+00:00", "updated": "2026-03-26T12:08:09.980186+00:00", "vendors": []}