CVE-2026-4400 HIGH

CVE-2026-4400: Multiple vulnerabilities in 1millionbot Millie chatbot

Vendor 1Millionbot
Product Millie chat
Weakness CWE-639 · IDOR
Published March 31, 2026
Last update March 31, 2026

CVSS base score

7.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint 'api.1millionbot.com/api/public/conversations/' and, if exploited, could allow a remote attacker to access other users private chatbot conversations, revealing sensitive or confidential data without requiring credentials or impersonating users. In order for the vulnerability to be exploited, the attacker must have the user's conversation ID.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
March 31, 2026 Record updated