Medium severity4.3NVD Advisory· Published Dec 30, 2024· Updated Apr 15, 2026

CVE-2024-52294

Description

Khoj is a self-hostable artificial intelligence app. Prior to version 1.29.10, an Insecure Direct Object Reference (IDOR) vulnerability in the update_subscription endpoint allows any authenticated user to manipulate other users' Stripe subscriptions by simply modifying the email parameter in the request. The vulnerability exists in the subscription endpoint at /api/subscription. The endpoint uses an email parameter as a direct reference to user subscriptions without verifying object ownership. While authentication is required, there is no authorization check to verify if the authenticated user owns the referenced subscription. The issue was fixed in version 1.29.10. Support for arbitrarily presenting an email for update has been deprecated.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
khojPyPI	< 1.29.0	1.29.0

Patches

f05e64cf8c9d

https://github.com/khoj-ai/khojvia osv

47d3c8c23597

Remove email query parameter from subscription patch api

https://github.com/khoj-ai/khojsabaimranNov 12, 2024via ghsa

commit

2 files changed · +3 −2

src/interface/web/app/settings/page.tsx+1 −1 modified

@@ -594,7 +594,7 @@ export default function SettingsView() {
 
     const setSubscription = async (state: string) => {
         try {
-            const url = `/api/subscription?email=${userConfig?.username}&operation=${state}`;
+            const url = `/api/subscription?operation=${state}`;
             const response = await fetch(url, {
                 method: "PATCH",
                 headers: {

src/khoj/routers/api_subscription.py+2 −1 modified

@@ -94,8 +94,9 @@ async def subscribe(request: Request):
 
 @subscription_router.patch("")
 @requires(["authenticated"])
-async def update_subscription(request: Request, email: str, operation: str):
+async def update_subscription(request: Request, operation: str):
     # Retrieve the customer's details
+    email = request.user.object.email
     customers = stripe.Customer.list(email=email).auto_paging_iter()
     customer = next(customers, None)
     if customer is None:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hq4h-w933-jm6cghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-52294ghsaADVISORY
github.com/khoj-ai/khoj/commit/47d3c8c23597900af708bdc60aced3ae5d2064c1nvdWEB
github.com/khoj-ai/khoj/security/advisories/GHSA-hq4h-w933-jm6cnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000