Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability by crawlchat
CVE-2026-23875 (GCVE-0-2026-23875)
Vulnerability from cvelistv5 – Published: 2026-01-19 20:47 – Updated: 2026-01-20 15:33
VLAI
Title
CrawlChat's Discord Bot has a Knowledge Permission vulnerability
Summary
CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base. Usually, admin / mods of a Discord guild use the `jigsaw` emoji to save a specific message (chain) onto the collection's knowledge base of CrawlChat. Unfortunately an permission check (for e.g. MANAGE_SERVER; MANAGE_MESSAGES etc.) was not done, allowing normal users of the guild to information to the knowledge base. With targeting specific parts that are commonly asked, users can manipulate the content given out by the bot (on all integrations), to e.g. redirect users to a malicious site, or send information to a malicious user. Version 0.0.8 patches the issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/crawlchat/crawlchat/security/a… | x_refsource_CONFIRM |
| https://github.com/crawlchat/crawlchat/commit/f90… | x_refsource_MISC |
| https://github.com/crawlchat/crawlchat/releases/t… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:32:57.625006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:33:08.209Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "crawlchat",
"vendor": "crawlchat",
"versions": [
{
"status": "affected",
"version": "\u003c 0.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat\u0027s Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base. Usually, admin / mods of a Discord guild use the `jigsaw` emoji to save a specific message (chain) onto the collection\u0027s knowledge base of CrawlChat. Unfortunately an permission check (for e.g. MANAGE_SERVER; MANAGE_MESSAGES etc.) was not done, allowing normal users of the guild to information to the knowledge base. With targeting specific parts that are commonly asked, users can manipulate the content given out by the bot (on all integrations), to e.g. redirect users to a malicious site, or send information to a malicious user. Version 0.0.8 patches the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T20:47:57.518Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/crawlchat/crawlchat/security/advisories/GHSA-f484-62p4-6w4p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/crawlchat/crawlchat/security/advisories/GHSA-f484-62p4-6w4p"
},
{
"name": "https://github.com/crawlchat/crawlchat/commit/f90ebb93c6a830f6cf609d683f6425af8434573a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/crawlchat/crawlchat/commit/f90ebb93c6a830f6cf609d683f6425af8434573a"
},
{
"name": "https://github.com/crawlchat/crawlchat/releases/tag/v0.0.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/crawlchat/crawlchat/releases/tag/v0.0.8"
}
],
"source": {
"advisory": "GHSA-f484-62p4-6w4p",
"discovery": "UNKNOWN"
},
"title": "CrawlChat\u0027s Discord Bot has a Knowledge Permission vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23875",
"datePublished": "2026-01-19T20:47:57.518Z",
"dateReserved": "2026-01-16T21:02:02.900Z",
"dateUpdated": "2026-01-20T15:33:08.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}