CVE-2026-23842
Unknown Unknown - Not Provided
Denial of Service in ChatterBot via SQLAlchemy Connection Exhaustion

Publication date: 2026-01-19

Last updated on: 2026-02-05

Assigner: GitHub, Inc.

Description
ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. Version 1.2.11 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23842
EUVD
EUVD-2026-3299
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
gunthercox chatterbot to 1.2.11 (exc)
gunthercox chatterbot 1.2.11
chatterbot chatterbot to 1.2.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23842 is a denial-of-service vulnerability in ChatterBot versions up to 1.2.10 caused by improper management of database sessions and connection pools. When multiple threads concurrently call the get_response() method, the underlying SQLAlchemy connection pool can be exhausted because connections are not released properly. This leads to blocking of requests and persistent service unavailability until a manual restart is performed. The issue stems from uncontrolled resource consumption in the database connection handling. [4, 3]

Impact Analysis

This vulnerability can cause your ChatterBot service to become unresponsive and unavailable due to exhaustion of database connections. Attackers can remotely trigger this denial-of-service condition without authentication by making concurrent requests to the get_response() method, leading to persistent service downtime that requires manual intervention to recover. This impacts the availability of your chatbot service. [4]

Detection Guidance

This vulnerability can be detected by monitoring for symptoms of SQLAlchemy connection pool exhaustion, such as persistent service unavailability and SQLAlchemy TimeoutError exceptions when multiple concurrent calls to get_response() are made. A proof-of-concept involves running concurrent threads that call get_response() to observe if the service becomes unresponsive. Specific commands are not provided in the resources, but testing concurrent invocations of get_response() and monitoring logs for connection timeout errors can help detect the issue. [4]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade ChatterBot to version 1.2.11 or later, which includes fixes such as safe default parameters for SQLAlchemy connection pooling, proper session management with scoped sessions, and ensuring connections are closed properly to prevent exhaustion. If upgrading is not immediately possible, consider limiting concurrent calls to get_response() to avoid exhausting the connection pool and manually restarting the service if it becomes unresponsive. The official fix introduces parameters like pool_size, max_overflow, pool_timeout, pool_recycle, and pool_pre_ping to improve connection handling. [2, 3, 4, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23842. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart