CVE-2026-4263

Vulnerability

Description CVE-2026-4263 is an incorrect authorization vulnerability in the HiJiffy Chatbot API. The vulnerability exists because the endpoint /api/v1/webchat/message does not properly verify the authorization of the user making the request. By manipulating the visitor parameter, an attacker can access messages that belong to other users. This is classified under CWE-863 (Incorrect Authorization) [1].

Exploitation

An attacker can exploit this vulnerability without authentication, as the CVSS vector indicates network exploitable with no privileges required (PR:N) [1]. The attack requires no user interaction and has low attack complexity. The attacker simply needs to supply a different visitor identifier in the API request to download messages from other users’ chat sessions [1].

Impact

The impact is limited to confidentiality (low), as the attacker gains the ability to read private chat messages of other HiJiffy users. There is no impact on integrity or availability. The CVSSv4.0 base score is 6.9 (Medium) [1].

Mitigation

The vendor, HiJiffy, recommends updating to the latest available version of the chatbot, which contains the fix for this vulnerability [1]. There is no evidence of active exploitation in the wild as of the publication date.