CVE-2026-23875
Improper Permission Check in CrawlChat Discord Bot Enables Content Manipulation
Publication date: 2026-01-19
Last updated on: 2026-02-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| crawlchat | crawlchat | to 0.0.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the CrawlChat Discord bot occurs because there was no permission check when users added content to the bot's knowledge base by reacting with the 𧩠emoji. Normally, only administrators or moderators with permissions like MANAGE_SERVER or MANAGE_MESSAGES should be able to save messages to the knowledge base. However, due to the missing permission validation, any guild member without management privileges could add potentially malicious or manipulated content. This allows attackers to manipulate the bot's responses, potentially redirecting users to malicious sites or leaking information. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows unauthorized users in a Discord guild to add malicious content to the CrawlChat bot's knowledge base. This can lead to the bot disseminating harmful or manipulated information across all its integrations, such as redirecting users to malicious websites or sending sensitive information to attackers. Essentially, it compromises the integrity and trustworthiness of the bot's responses, potentially harming users and the community relying on it. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the Discord bot's logs for unauthorized usage warnings related to the 𧩠emoji reaction. Specifically, after the patch, the bot logs warnings when users without Administrator, ManageGuild, or ManageMessages permissions attempt to add content to the knowledge base. You can check the bot's console or log files for entries indicating unauthorized user IDs and guild IDs attempting to use the learn knowledge feature. Since this is a Discord bot behavior, network commands are not applicable, but reviewing the bot's logs is key. [3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the CrawlChat Discord bot to version 0.0.8 or later, which includes the patch adding proper permission checks. Ensure that only users with Administrator, ManageGuild, or ManageMessages permissions can add content to the knowledge base via the 𧩠emoji reaction. Additionally, review your guild's permissions and restrict the bot's usage accordingly to prevent unauthorized users from manipulating the knowledge base. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users to add malicious or manipulated content to the CrawlChat knowledge base, which can lead to dissemination of harmful information or leaking sensitive data. This unauthorized data manipulation and potential data leakage could negatively impact compliance with data protection standards and regulations such as GDPR or HIPAA, which require strict controls on data integrity and confidentiality. However, specific compliance impacts are not detailed in the provided resources. [1]