CVE-2026-22663

prompts.chat prior to commit 7b81836 contains multiple authorization bypass vulnerabilities due to missing isPrivate checks across API endpoints and page metadata generation that allow unauthorized users to access sensitive data associated with private prompts. Attackers can exploit these missing authorization checks to retrieve private prompt version history, change requests, examples, current content, and metadata including titles and descriptions exposed via HTML meta tags.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/f/prompts.chat/commit/7b81836b214f2796aaf37ded2944eadc978afd35	Patch
https://github.com/f/prompts.chat/pull/1104	Issue Tracking Patch Vendor Advisory
https://www.vulncheck.com/advisories/prompts-chat-authorization-bypass-information-disclosure	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:fka:prompts.chat:*:*:*:*:*:*:*:*

History

13 Apr 2026, 18:15

Type	Values Removed	Values Added
References	~~() https://github.com/f/prompts.chat/commit/7b81836b214f2796aaf37ded2944eadc978afd35 -~~	() https://github.com/f/prompts.chat/commit/7b81836b214f2796aaf37ded2944eadc978afd35 - Patch
References	~~() https://github.com/f/prompts.chat/pull/1104 -~~	() https://github.com/f/prompts.chat/pull/1104 - Issue Tracking, Patch, Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/prompts-chat-authorization-bypass-information-disclosure -~~	() https://www.vulncheck.com/advisories/prompts-chat-authorization-bypass-information-disclosure - Third Party Advisory
CPE		cpe:2.3:a:fka:prompts.chat::::::::
First Time		Fka Fka prompts.chat

03 Apr 2026, 21:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-03 21:17

Updated : 2026-04-13 18:15

NVD link : CVE-2026-22663

Mitre link : CVE-2026-22663

CVE.ORG link : CVE-2026-22663

JSON object : View

Products Affected

fka

prompts.chat

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-22663", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-03T21:17:09.337", "references": [{"url": "https://github.com/f/prompts.chat/commit/7b81836b214f2796aaf37ded2944eadc978afd35", "tags": ["Patch"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/f/prompts.chat/pull/1104", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/prompts-chat-authorization-bypass-information-disclosure", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "prompts.chat prior to commit 7b81836 contains multiple authorization bypass vulnerabilities due to missing isPrivate checks across API endpoints and page metadata generation that allow unauthorized users to access sensitive data associated with private prompts. Attackers can exploit these missing authorization checks to retrieve private prompt version history, change requests, examples, current content, and metadata including titles and descriptions exposed via HTML meta tags."}], "lastModified": "2026-04-13T18:15:02.253", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fka:prompts.chat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2231F343-295D-417B-9925-BA342FB6A8F0", "versionEndExcluding": "2026-03-25"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}