CVE-2026-4400
IDOR Vulnerability in 1millionbot Millie Chat Exposes Private Conversations
Publication date: 2026-03-31
Last updated on: 2026-04-14
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 1millionbot | millie_chatbot | to 3.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4400 is an Insecure Direct Object Reference (IDOR) vulnerability in the 1millionbot Millie chat. It allows an attacker to view private conversations of other users by simply changing the conversation ID in the API endpoint 'api.1millionbot.com/api/public/conversations/'.
The attacker does not need to have credentials or impersonate users to exploit this vulnerability, but must know the conversation ID of the target user.
Exploiting this flaw can lead to unauthorized access to sensitive or confidential chatbot conversations.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing your private chatbot conversations to unauthorized remote attackers.
Sensitive or confidential information contained in these conversations could be revealed without your consent or knowledge.
Since no authentication or impersonation is required, the risk of data leakage is significant if an attacker obtains a valid conversation ID.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring requests to the endpoint 'api.1millionbot.com/api/public/conversations/' and checking if unauthorized access to conversation data occurs when changing the conversation ID parameter.
A possible detection method is to attempt accessing conversation data by modifying the conversation ID in API requests and observing if private conversations of other users are returned without proper authorization.
Network monitoring tools or web proxy logs can be used to identify suspicious requests that manipulate conversation IDs.
- Use curl or similar tools to test access: curl -X GET 'https://api.1millionbot.com/api/public/conversations/{conversation_id}' replacing {conversation_id} with different values to check if unauthorized data is accessible.
- Use network traffic analysis tools (e.g., Wireshark) to capture and inspect API calls to the vulnerable endpoint.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable API endpoint by implementing proper authorization checks to ensure users can only access their own conversation data.
If possible, disable or restrict access to the 'api.1millionbot.com/api/public/conversations/' endpoint until a patch or update is applied.
Monitor and audit API access logs for suspicious activity involving conversation ID manipulation.
Contact the vendor or check for updates from 1millionbot to apply patches or newer versions that fix this IDOR vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized remote attackers to access private chatbot conversations of other users by changing the conversation ID, potentially exposing sensitive or confidential data without requiring credentials or impersonation.
Such unauthorized disclosure of private user data could lead to non-compliance with data protection regulations like GDPR or HIPAA, which mandate strict controls over access to personal and sensitive information.