CVE-2026-23842
Denial of Service in ChatterBot via SQLAlchemy Connection Exhaustion
Publication date: 2026-01-19
Last updated on: 2026-02-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gunthercox | chatterbot | to 1.2.11 (exc) |
| gunthercox | chatterbot | 1.2.11 |
| chatterbot | chatterbot | to 1.2.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23842 is a denial-of-service vulnerability in ChatterBot versions up to 1.2.10 caused by improper management of database sessions and connection pools. When multiple threads concurrently call the get_response() method, the underlying SQLAlchemy connection pool can be exhausted because connections are not released properly. This leads to blocking of requests and persistent service unavailability until a manual restart is performed. The issue stems from uncontrolled resource consumption in the database connection handling. [4, 3]
How can this vulnerability impact me? :
This vulnerability can cause your ChatterBot service to become unresponsive and unavailable due to exhaustion of database connections. Attackers can remotely trigger this denial-of-service condition without authentication by making concurrent requests to the get_response() method, leading to persistent service downtime that requires manual intervention to recover. This impacts the availability of your chatbot service. [4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for symptoms of SQLAlchemy connection pool exhaustion, such as persistent service unavailability and SQLAlchemy TimeoutError exceptions when multiple concurrent calls to get_response() are made. A proof-of-concept involves running concurrent threads that call get_response() to observe if the service becomes unresponsive. Specific commands are not provided in the resources, but testing concurrent invocations of get_response() and monitoring logs for connection timeout errors can help detect the issue. [4]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade ChatterBot to version 1.2.11 or later, which includes fixes such as safe default parameters for SQLAlchemy connection pooling, proper session management with scoped sessions, and ensuring connections are closed properly to prevent exhaustion. If upgrading is not immediately possible, consider limiting concurrent calls to get_response() to avoid exhausting the connection pool and manually restarting the service if it becomes unresponsive. The official fix introduces parameters like pool_size, max_overflow, pool_timeout, pool_recycle, and pool_pre_ping to improve connection handling. [2, 3, 4, 5]