CVE-2026-4400

Multiple vulnerabilities in 1millionbot Millie chatbot

Assigner: INCIBE
Reserved: 18.03.2026 Published: 31.03.2026 Updated: 31.03.2026

Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint 'api.1millionbot.com/api/public/conversations/' and, if exploited, could allow a remote attacker to access other users private chatbot conversations, revealing sensitive or confidential data without requiring credentials or impersonating users. In order for the vulnerability to be exploited, the attacker must have the user's conversation ID.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
CVSS Score: 7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	High
Attack Complexity	High	Integrity	None	Integrity	High
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	1millionbot
Product	Millie chat
Versions	Default: unaffected Version 3.6.0 is affected

Vendor

1millionbot

Product

Millie chat

Versions

Default: unaffected

Version 3.6.0 is affected

Solutions

The vulnerabilities have been fixed by 1millionbot team in version 3.6.0.

Credits

David Utón Amaya (m3n0sd0n4ld) finder

References

Problem Types

CWE-639 Authorization bypass through User-Controlled key CWE