CVE-2026-4400

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-4400
Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint 'api.1millionbot.com/api/public/conversations/' and, if exploited, could allow a remote attacker to access other users private chatbot conversations, revealing sensitive or confidential data without requiring credentials or impersonating users. In order for the vulnerability to be exploited, the attacker must have the user's conversation ID.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot-millie-chatbot Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:1millionbot:millie_chatbot:*:*:*:*:*:*:*:*
History

14 Apr 2026, 21:31

Type Values Removed Values Added
CPE cpe:2.3:a:1millionbot:millie_chat_bot:*:*:*:*:*:*:*:* cpe:2.3:a:1millionbot:millie_chatbot:*:*:*:*:*:*:*:*
First Time 1millionbot millie Chatbot

13 Apr 2026, 13:01

Type Values Removed Values Added
References () https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot-millie-chatbot - () https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot-millie-chatbot - Third Party Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5
CPE cpe:2.3:a:1millionbot:millie_chat_bot:*:*:*:*:*:*:*:*
First Time 1millionbot
1millionbot millie Chat Bot

01 Apr 2026, 14:24

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de Referencia Directa a Objeto Insegura (IDOR) en el chat Millie de 1millionbot que permite visualizar conversaciones privadas de otros usuarios simplemente cambiando el ID de la conversación. La vulnerabilidad está presente en el endpoint 'api.1millionbot.com/api/public/conversations/' y, si se explota, podría permitir a un atacante remoto acceder a conversaciones privadas de chatbot de otros usuarios, revelando datos sensibles o confidenciales sin requerir credenciales ni suplantar la identidad de los usuarios. Para que la vulnerabilidad pueda ser explotada, el atacante debe tener el ID de conversación del usuario.

31 Mar 2026, 11:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-31 11:16

Updated : 2026-04-14 21:31

NVD link : CVE-2026-4400

Mitre link : CVE-2026-4400

CVE.ORG link : CVE-2026-4400

JSON object : View

Products Affected

1millionbot

  • millie_chatbot
CWE
CWE-639

Authorization Bypass Through User-Controlled Key