CVE-2026-47225

Vulnerability

Typesense versions prior to 29.1 and 30.2 contain a cache isolation issue in the server-side search result caching mechanism when used with Scoped Search API Keys that embed filters to restrict access. Under specific request ordering, cached search results can be incorrectly reused across requests with different Scoped Search API Key constraints. Only deployments that enable both server-side caching and scoped keys with embedded filters are affected; unkeyed or unscoped requests are not impacted [1].

Exploitation

An attacker must be able to issue authenticated search requests using a Scoped Search API Key with embedded filters, and the server must have server-side search result caching enabled. By crafting a sequence of requests — first a request that populates the cache with results for a broader scope, followed by a request from a narrower scoped key — the cached response from the earlier request may be served to the second request, bypassing the intended filter [1]. No additional privileges or race window exploitation is required beyond being a legitimate user of scoped keys.

Impact

Successful exploitation leads to unintended disclosure of search results that should have been restricted by a Scoped Search API Key. An attacker with a scoped key could receive results from a different, more permissive scope, violating the intended data access policy. The vulnerability affects confidentiality only; data integrity and service availability are not impacted [1].

Mitigation

The issue is fixed in Typesense versions 29.1 and 30.2 [1]. Users who cannot upgrade immediately can disable server-side search result caching for search requests that use Scoped Search API Keys as a workaround. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog as of the publication date.