Executive Summary

CVE-2026-47225 is a vulnerability in Typesense, a fast, typo-tolerant search engine, affecting versions prior to 29.1 and 30.2. The issue arises when both server-side search result caching and Scoped Search API Keys with embedded filters are used together. Under certain request ordering, cached search results could be improperly reused across requests that have different Scoped Search API Key constraints. This means a request might receive search results that should have been restricted by its specific Scoped Search API Key, leading to unintended disclosure of search results across scoped authorization contexts.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to search results that should be restricted by Scoped Search API Keys. Specifically, cached search results intended for one scoped authorization context could be exposed to another, potentially allowing users to see data they are not permitted to access. However, it does not affect data integrity or service availability.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your Typesense deployment is using both server-side search result caching and Scoped Search API Keys with embedded filters.

You should check the Typesense version to see if it is affected (versions <=29.0 and >=30.0, <30.2 are vulnerable).

Additionally, monitoring search requests for reuse of cached results across different Scoped Search API Key constraints can help detect exploitation.

While no specific commands are provided in the resources, you can use network monitoring tools or log analysis to identify unusual sharing of search results between different scoped API keys.

For example, you might query your Typesense server version with a command like: `typesense-server --version` or check your deployment configuration files for caching settings and API key usage.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to disable server-side caching for search requests that use Scoped Search API Keys with embedded filters.

This workaround prevents cached search results from being reused across requests with different scoped API key constraints, thereby avoiding unintended disclosure.

Ultimately, you should upgrade your Typesense deployment to version 29.1 or 30.2, where this vulnerability has been patched.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability may result in unintended disclosure of search results across scoped authorization contexts due to improper cache isolation. Such unauthorized data exposure could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to sensitive information.

However, the vulnerability does not affect data integrity or service availability, focusing primarily on confidentiality concerns related to cached search results.

Mitigations include patching to versions 29.1 and 30.2 or disabling server-side caching for requests using scoped API keys, which can help maintain compliance by preventing unauthorized data exposure.

Useful 0 Not Useful 0