CVE-2026-4399

Prompt injection vulnerability in 1millionbot Millie chatbot that occurs when a user manages to evade chat restrictions using Boolean prompt injection techniques (formulating a question in such a way that, upon receiving an affirmative response ('true'), the model executes the injected instruction), causing it to return prohibited information and information outside its intended context. Successful exploitation of this vulnerability could allow a malicious remote attacker to abuse the service for purposes other than those originally intended, or even execute out-of-context tasks using 1millionbot's resources and/or OpenAI's API key. This allows the attacker to evade the containment mechanisms implemented during LLM model training and obtain responses or chat behaviors that were originally restricted.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot-millie-chatbot	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:1millionbot:millie_chatbot:*:*:*:*:*:*:*:*

History

13 Apr 2026, 13:14

Type	Values Removed	Values Added
First Time		1millionbot 1millionbot millie Chatbot
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot-millie-chatbot -~~	() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot-millie-chatbot - Third Party Advisory
CWE		CWE-77
CPE		cpe:2.3:a:1millionbot:millie_chatbot::::::::

01 Apr 2026, 14:24

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad de inyección de prompts en el chatbot Millie de 1millionbot que ocurre cuando un usuario logra evadir las restricciones del chat utilizando técnicas de inyección de prompts booleanas (formulando una pregunta de tal manera que, al recibir una respuesta afirmativa ('true'), el modelo ejecuta la instrucción inyectada), haciendo que devuelva información prohibida e información fuera de su contexto previsto. La explotación exitosa de esta vulnerabilidad podría permitir a un atacante remoto malicioso abusar del servicio para fines distintos a los originalmente previstos, o incluso ejecutar tareas fuera de contexto utilizando los recursos de 1millionbot y/o la clave API de OpenAI. Esto permite al atacante evadir los mecanismos de contención implementados durante el entrenamiento del modelo LLM y obtener respuestas o comportamientos del chat que estaban originalmente restringidos.

31 Mar 2026, 11:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-31 11:16

Updated : 2026-04-13 13:14

NVD link : CVE-2026-4399

Mitre link : CVE-2026-4399

CVE.ORG link : CVE-2026-4399

JSON object : View

Products Affected

1millionbot

millie_chatbot

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

7.5 /10