{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4262", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2026-03-16T11:59:56.946Z", "datePublished": "2026-03-26T09:06:22.472Z", "dateUpdated": "2026-06-09T08:58:28.499Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-06-09T08:58:28.499Z"}, "title": "Incorrect authorization in HiJiffy Chatbot", "datePublic": "2026-03-26T09:01:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863", "type": "CWE"}]}], "affected": [{"vendor": "HiJiffy", "product": "HiJiffy Chatbot", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hijiffy:hijiffy_chatbot:all_versions:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "Vulnerability of incorrect authorization in\u00a0HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/<ID>/'.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability of incorrect authorization in&nbsp;HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/&lt;ID&gt;/'."}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "solutions": [{"lang": "en", "value": "The vulnerabilities have been resolved by the HiJiffy team. Since the affected product is a cloud-based solution, the fix has already been deployed across all online versions, so no further action is required on the part of users.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The vulnerabilities have been resolved by the HiJiffy team. Since the affected product is a cloud-based solution, the fix has already been deployed across all online versions, so no further action is required on the part of users."}]}], "credits": [{"lang": "en", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T14:05:49.522456Z", "id": "CVE-2026-4262", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:06:16.836Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4262", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T14:05:49.522456Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:06:06.102Z"}}], "cna": {"title": "Incorrect authorization in HiJiffy Chatbot", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "HiJiffy", "product": "HiJiffy Chatbot", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerabilities have been resolved by the HiJiffy team. Since the affected product is a cloud-based solution, the fix has already been deployed across all online versions, so no further action is required on the part of users.", "supportingMedia": [{"type": "text/html", "value": "The vulnerabilities have been resolved by the HiJiffy team. Since the affected product is a cloud-based solution, the fix has already been deployed across all online versions, so no further action is required on the part of users.", "base64": false}]}], "datePublic": "2026-03-26T09:01:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Vulnerability of incorrect authorization in\u00a0HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/<ID>/'.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability of incorrect authorization in&nbsp;HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/&lt;ID&gt;/'.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hijiffy:hijiffy_chatbot:all_versions:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-06-09T08:58:28.499Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4262", "state": "PUBLISHED", "dateUpdated": "2026-06-09T08:58:28.499Z", "dateReserved": "2026-03-16T11:59:56.946Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2026-03-26T09:06:22.472Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability of incorrect authorization in\u00a0HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/<ID>/'."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en HiJiffy Chatbot permite a un atacante descargar mensajes privados de otros usuarios a trav\u00e9s del par\u00e1metro 'ID' en '/api/v1/download//'."}], "id": "CVE-2026-4262", "lastModified": "2026-05-19T15:43:28.500", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-26T10:16:25.780", "references": [{"source": "[email protected]", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "HiJiffy Chatbot", "source": "cna", "vendor": "HiJiffy"}, "product": "hijiffy_chatbot", "vendor": "hijiffy"}], "analysis": {"en": {"generated_at": "2026-03-26T10:20:32.095014+00:00", "value": {"mitigation_remediation": ["Apply the latest HiJiffy Chatbot update as released by the vendor", "If an update cannot be applied immediately, restrict or disable the /api/v1/download/<ID>/ endpoint to authenticated users only", "Ensure that all routes that accept user identifiers enforce proper ownership checks and return data only for the requesting user"], "summary": {"action": "Patch promptly", "impact": "Data disclosure"}, "threat_synthesis": {"affected_systems": "The affected component is the HiJiffy Chatbot service, for all published versions. The exploit originates from the public API endpoint /api/v1/download/<ID>/, which accepts a numeric or string identifier passed as a path parameter.", "description_and_impact": "A flaw in authorization controls within the HiJiffy Chatbot permits an attacker to retrieve private messages belonging to other users. By supplying an arbitrary identifier in the /api/v1/download/<ID>/ endpoint, an unauthenticated or improperly authenticated request can be used to export message contents. This weakness corresponds to the CWE-863 category, where access control mechanisms fail to enforce ownership checks, leading to confidentiality violations.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a medium severity vulnerability that can be leveraged remotely via standard HTTP requests. EPSS information is not available and the issue is not listed in the CISA KEV catalog, but the remote reachability and lack of authentication controls mean that an attacker with internet access can easily target the endpoint. As the vulnerability affects only message data and does not grant system compromise, the impact is limited to privacy breach."}}}}, "created": "2026-03-26T12:08:11.080815+00:00", "updated": "2026-03-27T08:36:20.338301+00:00", "vendors": ["hijiffy", "hijiffy$PRODUCT$hijiffy_chatbot"]}