CVE-2026-13591
Received Received - Intake

Improper Authorization in DeepMyst Mysti Contact Tracking

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A weakness has been identified in DeepMyst Mysti 0.4.0. Affected is the function _isTrackedConversation of the file src/managers/ChannelBridge.ts of the component Contact Tracking. This manipulation of the argument _channelType causes improper authorization. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit has been made available to the public and could be used for attacks. Patch name: 9b4aff0f106db424aa45a35aa89dd0b8f2eb9a48. It is suggested to install a patch to address this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13591
EUVD
EUVD-2026-40153

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
deepmyst mysti 0.4.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13591 is a vulnerability in the DeepMyst Mysti 0.4.0 software, specifically in the Contact Tracking component's _isTrackedConversation function. The issue arises because the system tracks contacts using only a normalized sender identifier (like a display name or phone number) without properly including the channel identity (such as channel type or channel ID). This allows an attacker to spoof messages across different communication channels by sending messages with the same sender identifier but from a different channel, causing improper authorization.

For example, if a user has interacted with a contact named "Bob" on WhatsApp, the system tracks this contact under the key "bob" with the channel set to WhatsApp. An attacker can send a message from Telegram with the sender "Bob," and the system will mistakenly treat this message as coming from the trusted contact on WhatsApp, enabling cross-channel spoofing.

Impact Analysis

This vulnerability can allow attackers to spoof replies from trusted contacts by sending messages from a different channel but using the same sender identifier. This can lead to unauthorized injection of attacker-controlled instructions, answering pending questions as if they were the trusted recipient, or sending commands like stop or cancel to disrupt agent tasks.

The severity of the impact depends on the user's Mysti permission mode and the number of connected channels. Systems configured with high autonomy are particularly vulnerable because attackers can manipulate the system to perform unintended actions by exploiting this cross-channel identity confusion.

Detection Guidance

This vulnerability involves cross-channel identity confusion in the Mysti OpenClaw ChannelBridge component, where messages from different channels with the same sender identifier can be misattributed. Detection involves monitoring for suspicious cross-channel message spoofing or unauthorized message routing.

Since the vulnerability is related to improper authorization based on channel identity, you can detect it by checking logs or message routing behavior for cases where inbound messages from one channel are treated as if they came from a trusted contact on another channel.

Specific commands are not provided in the available resources. However, general approaches include:

  • Review application logs for inbound messages where the sender identifier matches a trusted contact but the channel differs.
  • Use network monitoring tools to detect unexpected message flows or spoofed sender identities across channels.
  • Audit the ChannelBridge component's contact tracking logic to verify if channel-scoped identities are enforced.
Mitigation Strategies

The primary mitigation step is to apply the patch identified by commit 9b4aff0f106db424aa45a35aa89dd0b8f2eb9a48, which fixes the channel-scoped contact tracking issue in the ChannelBridge component.

This patch ensures that contact tracking and pending ask matching are scoped to concrete channel IDs, preventing cross-channel sender spoofing.

Until the patch is applied, consider restricting or monitoring inbound messages from untrusted channels and avoid configurations that allow high-autonomy modes or fuzzy sender matching without channel verification.

Additionally, review your system's permission modes and connected channels to minimize exposure to this vulnerability.

Compliance Impact

The vulnerability in DeepMyst Mysti 0.4.0 allows cross-channel identity confusion and improper authorization, enabling attackers to spoof trusted contacts and inject attacker-controlled instructions. This could lead to unauthorized access or manipulation of user communications.

Such unauthorized access and manipulation of personal or sensitive communication data could potentially violate data protection and privacy regulations like GDPR or HIPAA, which require strict controls over personal data access and integrity.

However, the provided information does not explicitly state the impact on compliance with these standards or regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13591. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart