{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4263", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2026-03-16T12:00:03.903Z", "datePublished": "2026-03-26T09:12:45.571Z", "dateUpdated": "2026-06-09T08:58:49.098Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-06-09T08:58:49.098Z"}, "title": "Incorrect authorization in HiJiffy Chatbot", "datePublic": "2026-03-26T09:08:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863", "type": "CWE"}]}], "affected": [{"vendor": "HiJiffy", "product": "HiJiffy Chatbot", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hijiffy:hijiffy_chatbot:all_versions:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "Vulnerability of incorrect authorization in\u00a0HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter\u00a0\n'visitor' in '/api/v1/webchat/message'.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter \n'visitor' in '/api/v1/webchat/message'."}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "solutions": [{"lang": "en", "value": "The vulnerabilities have been resolved by the HiJiffy team. Since the affected product is a cloud-based solution, the fix has already been deployed across all online versions, so no further action is required on the part of users.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The vulnerabilities have been resolved by the HiJiffy team. Since the affected product is a cloud-based solution, the fix has already been deployed across all online versions, so no further action is required on the part of users."}]}], "credits": [{"lang": "en", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T14:01:09.108432Z", "id": "CVE-2026-4263", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:02:38.779Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4263", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T14:01:09.108432Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:02:29.524Z"}}], "cna": {"title": "Incorrect authorization in HiJiffy Chatbot", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "HiJiffy", "product": "HiJiffy Chatbot", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerabilities have been resolved by the HiJiffy team. Since the affected product is a cloud-based solution, the fix has already been deployed across all online versions, so no further action is required on the part of users.", "supportingMedia": [{"type": "text/html", "value": "The vulnerabilities have been resolved by the HiJiffy team. Since the affected product is a cloud-based solution, the fix has already been deployed across all online versions, so no further action is required on the part of users.", "base64": false}]}], "datePublic": "2026-03-26T09:08:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Vulnerability of incorrect authorization in\u00a0HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter\u00a0\n'visitor' in '/api/v1/webchat/message'.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter \n'visitor' in '/api/v1/webchat/message'.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hijiffy:hijiffy_chatbot:all_versions:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-06-09T08:58:49.098Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4263", "state": "PUBLISHED", "dateUpdated": "2026-06-09T08:58:49.098Z", "dateReserved": "2026-03-16T12:00:03.903Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2026-03-26T09:12:45.571Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability of incorrect authorization in\u00a0HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter\u00a0\n'visitor' in '/api/v1/webchat/message'."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en HiJiffy Chatbot permite a un atacante descargar mensajes privados de otros usuarios a trav\u00e9s del par\u00e1metro 'visitor' en '/api/v1/webchat/message'."}], "id": "CVE-2026-4263", "lastModified": "2026-05-19T15:43:28.500", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-26T10:16:26.173", "references": [{"source": "[email protected]", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "HiJiffy Chatbot", "source": "cna", "vendor": "HiJiffy"}, "product": "hijiffy_chatbot", "vendor": "hijiffy"}], "analysis": {"en": {"generated_at": "2026-03-26T10:20:19.907115+00:00", "value": {"mitigation_remediation": ["Apply the vendor's patch or upgrade to the latest HiJiffy Chatbot release as recommended by the vendor.", "If an immediate patch is not possible, restrict the /api/v1/webchat/message endpoint to authenticated requests only and remove or neutralise the 'visitor' parameter.", "Conduct an internal security review or penetration test to confirm that the authorization check now functions correctly.", "Monitor service logs for repeated use of the 'visitor' parameter or abnormal message download traffic."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized disclosure of private user messages"}, "threat_synthesis": {"affected_systems": "The flaw affects all versions of the HiJiffy Chatbot software, as indicated by the CPE reference that covers every release. Administrators of installations using HiJiffy Chatbot should verify that their version is current, as older releases lack the authorization fix.", "description_and_impact": "The vulnerability resides in the HiJiffy Chatbot's authorization logic. Because of an incorrect check, requests to the /api/v1/webchat/message endpoint can specify a 'visitor' parameter and retrieve messages that belong to other users. This results in an unauthorized disclosure of private content. The weakness maps to CWE\u2011863, Authorization Bypass through Privilege Escalation. An attacker can obtain sensitive personal or business information contained in these messages, affecting confidentiality and possibly reputation.", "risk_and_exploitability": "The CVSS score of 6.9 places this issue in the moderate-to-high range, indicating significant potential impact if exploited. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. However, the attack path is straightforward: an unauthenticated user can send an HTTP request to the API endpoint with a crafted 'visitor' parameter, so the likelihood of exploitation in the wild remains reasonable. Infrastructure with open API access or without network segmentation could be at higher risk."}}}}, "created": "2026-03-26T12:08:09.980159+00:00", "updated": "2026-03-27T08:36:19.354773+00:00", "vendors": ["hijiffy", "hijiffy$PRODUCT$hijiffy_chatbot"]}